this is a 2000 functional level domain :( :( :( *
I have a domain local security group in domain A which contains 1 user from a domain B and several from domain A.
On a server in domain A, I can add this domain local group to the local machine administrators group via 'net localgroup', however, after doing this I notice that the members of that group aren't being given local admin permissions (can't remote login, etc).
When I look at local groups via the computer mgmt gui I can see the domain local group. I tried to delete and add it back via the gui, however, the domain local group can't be found. I can see all the global groups, but not any domain local.
I've searched and can't find anything that indicates this shouldn't work.
Should I be able to add a domain local security group to a local machine administrators group? If so, why would I not be able to find the object using the group management gui?
Workstation SAMs act in many ways like separate domains with a one-way trust relationship. So while I can't find it explicitly documented, I don't find it surprising that this doesn't work, as it is analogous to adding a domain local group from one domain into a domain local group from another domain, which isn't allowed (see table 7-1).
(The only odd thing is that it seems to work if the domain is Windows 2003 functional level, and I can't find this change documented either.)
In any case, you should be able to solve your problem by changing the domain local group into a universal group. Assuming you are at least running in Windows 2000 native mode and not Windows 2000 mixed mode, universal groups are supported, and they are specifically designed for this sort of scenario.
I've had a similar issue: I could add a domain local group to a local group on a domain member (e.g. "net localgroup administrators /add NameOfDomainLocalGroup") but the membership didn't display (e.g. in output of "net localgroup administrators") and the membership didn't take effect.
I tracked the cause down to having cloned both the domain controller and domain member from the same OS image (Server 2008 R2) without a sysprep step. (Duplicate SIDs)
After I ran sysprep on the domain member and re-added it to the domain all was fine :)
Look up Microsoft's AGDLP design best practice. Your Accounts should go into Global groups, and your Global groups should go into Domain Local groups. You then assign Permissions to Domain Local Groups.
So in your case, create a DL group called "ServerX Local Admins" and add that to the local Administrators group on the server. Create a Global group with a meaningful representative name and add the account from Domain B to that group. Then, add that group to the DL group.