Hi,

I have two forests and I created a bi-directional forest trust. In order to prepare for admt I tried to add some user from the one forest A to a domain-local security group forest B. That seems to be working, as the user is listed in the Groups "members" UI in forest B.

But if you go to the user object in forest A the Group Membership is not listed, and you can also not see that when checking the memberof property. whoami /Groups also does not Show the Group Membership. For a Domain admin in forest A, that is also a member of the builtin/Administrators in forest B, that results in "you must be a member of Domain admins", and permission is denied if you tried to migrate SID, even if you grant migrate SID history explicitely.

So I have two problems
why cant I find the Group in the memberof? (when checking via GUI or get-adprincipalgroupmembership)
Is there any way to migrate the SIDHistory if you are unable to put the account to builtin/Administrators?

What did I miss? Please help .

Thanks in advance,

Martin 

• Edited by Gudel, Martin 23 minutes ago