this is a 2000 functional level domain 🙁 🙁 🙁 *
I have a domain local security group in domain A which contains 1 user from a domain B and several from domain A.
On a server in domain A, I can add this domain local group to the local machine administrators group via 'net localgroup', however, after doing this I notice that the members of that group aren't being given local admin permissions (can't remote login, etc).
When I look at local groups via the computer mgmt gui I can see the domain local group. I tried to delete and add it back via the gui, however, the domain local group can't be found. I can see all the global groups, but not any domain local.
I've searched and can't find anything that indicates this shouldn't work.
Should I be able to add a domain local security group to a local machine administrators group?
If so, why would I not be able to find the object using the group management gui?
Best Answer
Workstation SAMs act in many ways like separate domains with a one-way trust relationship. So while I can't find it explicitly documented, I don't find it surprising that this doesn't work, as it is analogous to adding a domain local group from one domain into a domain local group from another domain, which isn't allowed (see table 7-1).
(The only odd thing is that it seems to work if the domain is Windows 2003 functional level, and I can't find this change documented either.)
In any case, you should be able to solve your problem by changing the domain local group into a universal group. Assuming you are at least running in Windows 2000 native mode and not Windows 2000 mixed mode, universal groups are supported, and they are specifically designed for this sort of scenario.