We have two domains that were previously two different companies. I have been told by level 3 engineering that "a sufficient trust has been built". I was asked to put a user in what I will call domain ABC.COM into a group in domain XYZ.COM. I am logged into my workstation into domain XYZ.COM and have ADUC up. I can connect to domain ABC.COM and XYZ.COM, but when I call up a group I need in ABC.COM I cannot see the user I need in XYZ.COM. It is like I need to be at the FORREST level not the DOMAIN level. I know I am an ENTERPRISE and DOMAIN ADMIN. How can I verify if the proper trust is really built and how can I get up one level higher so I can add users in one domain to a group in the other? We are on FORREST LEVEL 2003
You'd have to use a Local group to secure whatever resource, then add either Global groups or foreign security principals (aka ABC users) to that.
I wouldn't turn away from ADMT despite what they've said, it would have made this task a lot easier, even for one user at a time. This is because it can be told to write the SID for the user from XYZ into the SID History in ABC (as part of the migration). Then you can continue to control access using the account XYZ (courtesy of the matching SID / SID History) until you're ready to ditch XYZ entirely (and provided you disable SID filtering on the trust).
It makes the user-end of a migration a truck-load easier as well, ADMT can rewrite the user profile when you migrate a computer.
Chris