I have 3 domains - students, employees, and a resource domain with services that both domains use. They are running on Server 2008 at 2008 functional level. I'd like for IT users in the employee domain to be able to use Active Directory Users & Computers (ADUC) locally on their computers for all 3 domains rather than having to RDP into the other two domains.
Employee domain administrators can't administer the resource domain, and I assume that the lack of explicitly granted permission is why. Once I get that working I will do the same for the student domain.
There exists a one-way trust such that users on the employee domain can be granted access to stuff on the resource domain. For example, I can easily add any user from the student or employee domain to file permissions on a resource domain computer.
However, if in ADUC on the resource domain I try to add another domain's user to a Universal security group, which should work, I cannot even choose the domain. It doesn't show up when I click "Locations", and if I instead type the username preceded by the domain (or follow it with @domain), it fails.
Am I trying to do the right thing but failing, or am I going in a totally wrong direction?