First of all, I'd like to point out that this question is purely theoretical. I'm asking it to better understand the nature of different groups in Active Directory.
So, I have created two separate Active Directory forests, say forest A and forest B. Moreover, I manually created a two-way transitive forest trust between them. Now, I want to try one more thing: Allow any enterprise admin in forest A to perform any administrative task in forest B.
To do so, I thought of adding the "Enterprise Admins" group of forest A to "Enterprise Admins" group of forest B. This is impossible, since the "Enterprise Admins" group can only have members within the same forest.
Next, I tried to add an intermediate group to forest B. The idea is:
"Enterprise Admins" of A ==> Intermediate group ==> "Enterprise Admins" of B
However, the only group which can host members of other forests is a "local group," which cannot be a member of any other type of groups.
So, I'm stuck here. Is it possible to achieve this task?
Best Answer
Unfortunately, this is impossible; the enterprise admins group can be either global or universal in scope, but in either case security principals from other forests cannot be added. The only scope which can contain security principals from other forests is the domain local scope, which can never be used outside the domain it belongs to. This includes both subgroups and users.
However, the administrators group of each domain is a domain local group, so you could add the enterprise admins group from the other forest to the administrators group of each domain. This is likely the tedious operation you were trying to avoid, but it is the easiest way to grant this permission.
For reference, check out these technet articles: