I have a one-way domain trust setup and it's working if I want to deal with users on a per-user basis from the trusted domain. Let's say we have 'Parent.Domain.com' and 'Child.Domain.com' where Child trusts Parent but Parent does not trust Child – aside from this trust, the two domains are 100% unrelated. For all servers within Child, I can now specify permissions for users in Parent, so that tells me that the trust is working.
Now I'd like to take it to the next level and start setting up permissions domain-wide within Child for my Parent users and groups, but this is where I'm failing. The first thing I wanted to do was have all Domain Admins within Parent also be in the Domain Admins group in Child. However, when I go to add this membership to the Child's Domain Admins group, I can't see anything from my Parent domain, groups nor users (I simply don't see Parent.Domain.com within the Locations tree).
My research shows everybody mentioning Group Scope as being important here, so I started looking into this. After research and trial/error, I am able to create a new group (domain local) called Parent Domain Admins and add the Domain Admins group from the Parent domain into it. However, I still cannot add this group into the Domain Admins group in Child.
I'm to the point where I don't know what else to try and Google is failing me. How can I accomplish this sort of thing?
Best Answer
My solution to this problem was to create a domain local group (like you had done), add the desired users from the parent domain to the child domain local group, and then use group policy to add that group to the local administrators group of all computers in the child domain.