This one is driving me crazy. Hope someone can help me out.
I have a parent domain and a child domain. contoso.com and bubble.contoso.com
In the contoso.com domain I have created a Global Security Group (DelegateGroup) which contains users and other Global Groups.
In the child domain, bubble.contoso.com, I have created a Domain Local Security group (ResourceGroup)
I've given the ResourceGroup permissions on specific OU's and objects in the bubble.contoso.com domain.
I've put the DelegateGroup from the parent domain as a member of the ResourceGroup in the child domain.
Now, according to my understanding this should work. But it doesn't. At first I thought it was due to replication impatience and then due to un-updated security token.
The only way I can give a user from the parent domain permissions on OU objects in the child domain, is if I create a Universal Group, put the user into that group and give the Universal Group permissions directly on the OU.
This of course is not the way I want things to be.
Does anyone have any idea what might be going on here? Please note that I'm checking the permissions using Effective Permissions. Could it be that it's giving me the wrong information?