JSI Tip 1304. Local/Global Groups and Trusts.

If an Administrator attemps to manage resources in a trusting domain, and receives an access denied, it is likely that they haven't added the Domain Admins Global group from the trusted domain to the Local Administrators group in the trusting domain. This does not happen automatically.

Even though you granted local group permissions to resources on a Member Server, members receive access denied.

Assuming you configured the proper Share and NTFS permissions, it is important to remember that Member Servers (and Workstations) have separate account databases from the Domain Controllers. Trying to add a Local group from a Domain Controller to a Local Group on a Member Server results in a meaningless relationship.

To grant user in a trusted domain access to resources in a trusting domain:

1. Create a Global group in the trusted domain.

2. Create a Local Group on the Member Server in the trusting domain.

3. Add the Global group from step 1 to the Local group from step 2.

4. Assign Share and NTFS permissions to the Local group from step 2.