SharePoint: Domain Local groups from Trusted Forest are not valid

 

Consider the following scenario:

You have a SharePoint 20xx (doesn’t matter) site and have configured People Picker to search a trusted Active Directory Forest or Domain.

You have a security group of type “domain local” in the trusted forest that has several users in it.

You use People Picker to search for the group, but you get no results. You can find users and other groups from the trusted forest, but not the domain local group.

 

Cause:

This is by-design.

See the “Group Scopes” table here:

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#group-scope

Notice that the “Can Grant Permissions” cell for “Domain Local” groups says: “Within the same domain“.

That’s right, domain local groups can only be used for securing resources that exist within the same Active Directory domain as the group. That’s why SharePoint won’t allow you to find them in People Picker. The purpose is to prevent you from adding a group to site permissions that doesn’t (can’t) actually provide permission to the site for the users within the group.

 

Workarounds:

Use a different group from the trusted domain with the “Global” or “Universal” scope.

Alternatively, you could add all the users from the trusted domain to a domain local group that exists within the same domain as the SharePoint servers and use that group.

 

Domain Local group considerations for other SharePoint features:

User Profile Import will not compute group memberships for domain local groups from a trusted domain / forest, so you can’t use them in audiences either.

 

How do I know what type of group it is?

It’s listed on the properties page for the group in Active Directory:

Add a Comment