1) abc.com is the primary domain
2) There’s another 2 DC created under this domain
3) I tried creating a user account and delegate rights for the user to create AD account under abc.com
4) When user try to create a new account in both one.abc.com & two.abc.com, they do not have rights to do so.
Base on the above-mentioned, I thought that as long as a user have access to the primary domain, the access rights will propergate down to the secondary domain. Or I still need to manually delegate the rights to each secondary domain?