Unable to add users from across the trust forest to local domain groups

We have recently merged with another company and setup a two-way trust across the forests.

We are able to grant users/groups from the other domain to access our file server files.  However, when I try to add domain admins of the other domain to our domain admin group, I am not able to - I do not see the other domain when I click the ADD to add members.  

Is that an expected behavior?

Please advise.

Thanks.
nav2567Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Domain Admins are per Domain
Enterprise Admins are per Forest (which is what you want here)
0
nav2567Author Commented:
So, adding users from the other domain to group(s) of my domain cannot be done as expected, right?
0
oBdACommented:
No. "Domain Admins" is a global group, and global groups can only have accounts in the same domain as members.
Only domain local or real local groups can have accounts from trusted domains as members.
You can add them to the built-in Administrators group on the DCs, which makes them admins on the DCs - but not domain admins, because they won't be local admins anywhere else.
To make them admins on domain members, you need to add them to the local Administrators group on each machine.
For something similar to Domain Admins, you should create a domain local(!) group "MemberAdmins" or whatever, add this group to the local Administrators group on each machine (manually or through a Restricted Groups GPO), then add the required users or groups from the trusted domain to this group.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

nav2567Author Commented:
How do I grant right to my domain groups to access resource(s) such as a file share in the other forest?
0
Chris DentPowerShell DeveloperCommented:
> How do I grant right to my domain groups to access resource(s) such as a file share in the other forest?

You must use Local groups (Domain Local that is). There is no way to include a foreign security principal (a user from outside the forest, for instance) in either Global or Universal groups.

Chris
0
nav2567Author Commented:
Thanks, everyone.  I have got the idea.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.