diff --git a/keystone/common/controller.py b/keystone/common/controller.py
index 32d1574c6c..ec72c3bf56 100644
--- a/keystone/common/controller.py
+++ b/keystone/common/controller.py
@@ -745,7 +745,16 @@ class V3Controller(wsgi.Application):
         being used.
 
         """
-        token_ref = utils.get_token_ref(context)
+        try:
+            token_ref = utils.get_token_ref(context)
+        except exception.Unauthorized:
+            if context.get('is_admin'):
+                raise exception.ValidationError(
+                    _('You have tried to create a resource using the admin '
+                      'token. As this token is not within a domain you must '
+                      'explicitly include a domain for this resource to '
+                      'belong to.'))
+            raise
 
         if token_ref.domain_scoped:
             return token_ref.domain_id
diff --git a/keystone/tests/unit/test_v3_identity.py b/keystone/tests/unit/test_v3_identity.py
index 33f52ff7b7..5c65b62e40 100644
--- a/keystone/tests/unit/test_v3_identity.py
+++ b/keystone/tests/unit/test_v3_identity.py
@@ -106,6 +106,27 @@ class IdentityTestCase(test_v3.RestfulTestCase):
         ref['domain_id'] = CONF.identity.default_domain_id
         return self.assertValidUserResponse(r, ref)
 
+    def test_create_user_with_admin_token_and_domain(self):
+        """Call ``POST /users`` with admin token and domain id."""
+        ref = unit.new_user_ref(domain_id=self.domain_id)
+        self.post('/users', body={'user': ref}, token=CONF.admin_token,
+                  expected_status=http_client.CREATED)
+
+    def test_create_user_with_admin_token_and_no_domain(self):
+        """Call ``POST /users`` with admin token but no domain id.
+
+        It should not be possible to use the admin token to create a user
+        while not explicitly passing the domain in the request body.
+
+        """
+        # Passing a valid domain id to new_user_ref() since domain_id is
+        # not an optional parameter.
+        ref = unit.new_user_ref(domain_id=self.domain_id)
+        # Delete the domain id before sending the request.
+        del ref['domain_id']
+        self.post('/users', body={'user': ref}, token=CONF.admin_token,
+                  expected_status=http_client.BAD_REQUEST)
+
     def test_create_user_bad_request(self):
         """Call ``POST /users``."""
         self.post('/users', body={'user': {}},