I set up a unidirectional trust between FOREST01 and FOREST02.

FOREST01 is the trusting domain,
FOREST02 is the trusted domain.

FOREST01 has a domain local group ACL_SALES,
FOREST02 has a global group GG_SALES.

I want to add GG_SALES to ACL_SALES.

As user Administrator@FOREST01 I am able to query the Active-Directory of FOREST02.

PS C:\> hostname
FOREST01-DC
PS C:\> Get-ADGroup GG_SALES -Server FOREST02

DistinguishedName : CN=GG_Sales,OU=FOREST02,DC=FOREST02,DC=LOCAL
GroupCategory     : Security
GroupScope        : Global
Name              : GG_Sales
ObjectClass       : group
ObjectGUID        : 6d58b91f-b11c-40b9-9dd9-b06ad9bc7e83
SamAccountName    : GG_Sales
SID               : S-1-5-21-3826854346-1676647773-3462851188-1104

I am able to add GG_SALES to ACL_SALES with the PowerShell.

PS C:\> $gg_sales = Get-ADGroup GG_SALES -Server FOREST02
PS C:\> $acl_sales = Get-ADGroup ACL_SALES
PS C:\> Add-ADGroupMember $acl_sales -Members $gg_sales

I can verify this worked using the Active Directory Users and Computers Snap-In.

My problem is, that I cannot do the steps described above using only the Active Directory Users and Computers Snap-In.

As you can see in the screenshot below, using the PowerShell as described above, I was able to add GG_SALES to ACL_SALES (blue). But when doing so with the Active Directory Users and Computers Snap-In, I get ask to enter credentials for an account with permissions for FOREST02.LOCAL (red).

Seeing a credential prompt is wrong and inconsistent behaviour. It should just work as it does by using the PowerShell.

Additionally, I cannot use the PowerShell alone to manage my users and groups as the command Get-ADGroupMember is bugged, too. The moment you add a foreing principal to a domain local group, you see the following error message.

PS C:\Users\Administrator> Get-ADGroupMember ACL_SALES

Get-ADGroupMember : The server was unable to process the request due to an internal error.  For more information about
the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the
<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or
turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.
At line:1 char:1
+ Get-ADGroupMember ACL_SALES
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (ACL_SALES:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

Research has shown me that this error exists for three years.

"if you just run Get-Adgroupmember in a powershell window it fails when it encounters a FSP [foreign security principal]" (Advice with get-adgroupmember)

How do you manage forest trusts with those errors? Is there a way to fix those problems? I am not interested in workarounds!

> How do you manage forest trusts with those errors? Is there a way to > *fix those problems*? I am *not interested in workarounds*!   We don't use powershell, but ADSI instead - and System.DirectoryService, where appropriate.   :)  

> How do you manage forest trusts with those errors? Is there a way to > *fix those problems*? I am *not interested in workarounds*!   We don't use powershell, but ADSI instead - and System.DirectoryService, where appropriate.

Even though I am not sure about what you mean, I have a feeling that this is a workaround and does not solve the problem with neither the GUI, nor the PowerShell. But I am curious what this is. Could you give an example?

Hi,

According to your description, you could add GG_SALES to ACL_SALES with the PowerShell, it is ok. But using ADUC, a credential prompt, right?

When we use powershell to add ad group member, we could update cross-forest/domain membership is to first fetch the cross-forest/domain object using any of the ADPowershell cmdlets.

The reason why the commands work is that ADPowershell cmdlets stores session information in the objects returned.

You could refer to:

Adding/removing members from another forest or domain to groups in Active Directory

http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx

The second issue:

About the command Get-ADGroupMember error, i want to confirm if you try to another group have the same issue? Or only the domain local groups that contain members from trusted domains?

Regards.