Jordan Mills - would love to know how you did this because I've found it impossible so far. You can't use a principal from the child domain in the creation of the account, for example "New-ADServiceAccount -Name accountName -DNSHostName accountname.parent.dom -PrincipalsAllowedToRetrieveManagedPassword "CN=computername,=ou=something,DC=child,DC=parent,DC=com" and if you use a domain local group in the parent domain for the "PrincipalsAllowedToRetrieveManagedPassword" argument and then add the computer from the child domain to the group you get an error on the computer in the child domain when you try to install the GMSA saying it can't find the GMSA because it only looks in the child domain. The process to install never looks in the parent domain for the account.