I would like to create a Universal Group whose members are a mix of cross-forests users and groups.
In the following example, two forests are mentioned (US and UK) and two domains in each forest (GeneralStaff and Java):
For example, the universalDevelopers group may comprise of members from UK.Java.Developers and US.Java.Developers. Then, for example, there may be a group of universalSales which contains the users UK.GeneralStaff.John and US.GeneralStaff.Dave.
In UK forest at the minute, I can freely add members and groups from the UK. But there is no way to add members from the US forest, despite having a two-way trust in place… e.g. I can login with US members into UK and vice-versa.
A further complication is that, with a Universal group in the UK (which contains three domains), I can only add two of the three. It can't see the third.
Could people please provide some thoughts on why cross-forest groups can't be created and ways of 'seeing' all domains within a forest.
EDIT: This is on a combination of Windows 2003 and 2008 server. Answers can be regarding either. Thanks!
Best Answer
You can't add users from a trusted forest domain to a Universal Group. You would need to use a Domain Local Group. See Active Directory Group Scope. You don't mention what you want to use the groups for, so that's as much as I can suggest for use.