Domain Local Group Forest Trust

Ad trusted domain local groups cannot access a nas via smb due to the nature of msdn specifications see the following diagram in this diagram the nas is an ad member server of windows ad domain a dom a and has a forest trust relationship with.

Domain local group forest trust. Active directory provides security across multiple domains or forests through domain and forest trust relationships. Domain local groups can be converted to a universal group provided that there are no other domain local groups in its membership. Global catalog and posix attributes active directory does not replicate posix attributes with its default settings. The issue occurs in windows 8 1 windows server 2012 r2 windows 8 and windows server 2012.

If the domain local group does have other domain local groups as members then these must be removed from the membership before a conversion is made. What this does mean for an attacker is that you can spoof any rid 1000 group if sid history is enabled across a forest trust. Universal groups can be a member of domain local groups or other universal groups but not global groups. This is because the domain admins group is a global group whereas only domain local groups are added in the pac.

Universal groups do not care about trust. Can contain users and groups global and universal from any domain in the forest.