<div>
What's the error you're getting?
</div>


<div>
No error - I cannot see DomainB in the list when I try to add the users to a non &quot;domain local&quot; group<br />
<br />
And the &quot;domain local&quot; group I have created on dominaA with users from DomainB doesn't show up when I try to add to another group.<br />
<br />
Thanks,<br />
Steven
</div>


<div>
By design:<br />
<br />
You cannot add user from one domain to global group in another domain, global groups can accept users and groups from same domain<br />
<br />
With domain local group you already tested the functionality, domain local groups cannot be added to any groups in other domain, as the name says, they are local groups for domain<br />
<br />
what about universal groups, have you tested ?<br />
With universal groups, they can accept users, global groups and universal groups from own domain and other domain?<br />
<br />
Let us know results of above
</div>


IT/EE Solution Guide

Iamthecreator OM

<div>
YEs tested universal - does not show the DomainB when I go to add the users like it does for Domain.local<br />
<br />
I remember this being a lot easier (it has been a few years since I have done this).<br />
<br />
Thanks,<br />
Steven
</div>


<div>
what is your trust authentication level?<br />
<br />
I believe you have selected selective authentication, change it to domain wide authentication from trust properties and issue should get resolved
</div>


<div>
Sorry, just checked (from both sides/both servers) and both are domain wide authentication.<br />
<br />
Thanks,<br />
Steven
</div>


<div>
How you are trying to users to groups ?<br />
<br />
Don't do it from user properties<br />
Navigate to universal group properties on one domain and check if you are able to locate users, global groups and universal groups from other domain?<br />
Note that distribution group type may not be listed
</div>


<div>
I have created three test groups:<br />
- Test_Domain local<br />
- Test_Global<br />
- Test_universal<br />
<br />
I go into each group and try to add users, the only one I can see the DomainB from is the Test_Localdomain group.<br />
<br />
Same on both sides (both domains).<br />
<br />
Steven
</div>


<div>
What type of group is Test1? based on your statement 
<blockquote>
 - Add &quot;Test1&quot; group to any other group on DomainA 
</blockquote>
, i assume test1 is a global group and if so, then yes you cannot add it to any group on DomainA except if it is a domain local group.<br />
<br />
Universal groups can contain global groups from any domain in the <b>same </b>forest.<br />
<br />
Keep in mind the good old A.G.DL.P (Accounts into global groups into domain local groups which are given permissions) or A.G.U.DL.P (Accounts into global groups into universal groups into domain local groups which are given permissions - this is generally used for cross-forest/trust setups - <a href="https://www.oreilly.com/library/view/windows-server-2016/9781788626569/f608f4ef-6b0f-4c56-8b4e-5f813f60fd65.xhtml" rel="ugc">https://www.oreilly.com/library/view/windows-server-2016/9781788626569/f608f4ef-6b0f-4c56-8b4e-5f813f60fd65.xhtml</a>)<br />
<br />
(for your reference - <a href="https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups" rel="ugc">https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups</a>)
</div>


<div>
Hi Ibrahim,<br />
<br />
I recreated the groups for testing. &quot;Test1&quot; is the &quot;Test_DomainLocal&quot; which is a domain local group. &nbsp;This will allow me to add users from DomainB but I cannot add this group to another existing group.<br />
<br />
Sorry forgot to mention - both domains are not in the same forest - completely separate.<br />
<br />
I just don't get how I am support to reuse any of my old groups. &nbsp;Do I have to create a separate structure of groups that cannot be part of the old structure (all new domain local groups). &nbsp;Doesn't feel right.<br />
<br />
Thanks,<br />
Steven
</div>


<div>
<blockquote>
I recreated the groups for testing. &quot;Test1&quot; is the &quot;Test_DomainLocal&quot; which is a domain local group. &nbsp;This will allow me to add users from DomainB but I cannot add this group to<b> another existing group</b>.
</blockquote>
What type of group is this other &quot;existing group&quot;? Remember that domain local groups can only be members of other domain local groups in the same domain, not forest.<br />
<br />
Maybe lets take a step back and see exactly what it is you are trying to accomplish with this nesting conundrum :). What is your goal? is there a resource that you are trying to assign users permission to?
</div>


<div>
If you could explain what type of groups you already have, we can sort it out..
</div>


<div>
We are rebuilding our domain (from scratch) as n years ago our company name changed, we have also now purchased datacentre licenses for 2016 so want to rebuild our estate up from 2012. &nbsp;We have so far created the first new domain controller &quot;DomainB&quot; and we want to slowly rebuild our estate into DomainB. &nbsp;We will be adding all new users to DomainB and migrating old (over months) from DomainA. &nbsp;This means that we need to allow users into resources on DomainA e.g. remote desktop farm/file server/printing etc.<br />
<br />
In its simplest form I would like to add users from DomainB to existing security groups on DomainA (and the other way as the migration completes).<br />
<br />
Hope this manes sense.<br />
<br />
Steven
</div>


Techy

Olleco

<div>
<div class="content wysiwyg-content">
Please help, little confused...<br />
<br />
I have created a two way trust between domainA and DomainB<br />
- Both 2016 level<br />
- Validated/tested<br />
<br />
I can create a &quot;domain local&quot; type group on domainA and add users from DomainB = Test1<br />
<br />
I can't:<br />
- Add user from DomainB to any other type groups on DomainA<br />
- Add &quot;Test1&quot; group to any other group on DomainA <br />
<br />
Am I missing something blindingly obvious??<br />
<br />
Kind regards,<br />
Steven
</div>
</div>


Please help, little confused...

I have created a two way trust between domainA and DomainB
- Both 2016 level
- Validated/tested

I can create a "domain local" type group on domainA and add users from DomainB = Test1

I can't:
- Add user from DomainB to any other type groups on DomainA
- Add "Test1" group to any other group on DomainA 

Am I missing something blindingly obvious??

Kind regards,
Steven

Trust relationship - adding users from DomainA to groups on DomainB

Trust Relationships

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

A domain controller is a server that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain