Today I had to add a user from one domain to a group on another domain. I have not worked with multiple domains in active directory much. So to my surprise when I went to add this user it could not find them.
In order to do this I had to convert the group from a “Global” group to a “Domain local” group.
Changing between Global and Domain Local
The tricky part is “Domain local” is grayed out and you cant select it.
But all you have to do is to select “Universal” first. Then ‘Domain local” will light up and you can select it next.
I don’t know why you have to do this extra step. Maybe just something old Microsoft needs to update in there GUI.
Things to keep in mind
A domain locals group will never show up in a user account’s “Member Of” tab if that user is not in the same domain as the group. This is because the group just holds the Foreign Security Principal (FSP) representation of the user from the other domain.
So it can be a little misleading when you look at a user to see what groups they are in and you don’t see a group you expected to be there. This has happen to me a few times. But if you go to the group itself you will see the user under its “Members” tab.
I hope this helps someone out there. Have an awesome day!
