I have two test domains and one trusts another.
On trusting domain GPO I need to add a group from trusted domain to remote desktop users group which will apply to all computer objects in trusting domain.
However, when I try to add this group I get this error: "the object selected does not match the type of destination source". Group type is 'local domain'.
Is there a way to create GPO on trusting domain using group from trusted domain?
Create a Universal Group in trusted domain, add the appropriate objects to it from the trusted domain.
Create a Domain Local Group in trusting domain, add the trusted Universal Group to it.
Use the GPO to assign the Domain Local Group membership in the various local Remote Desktop Users groups in the trusting domain.
Do not attempt to use the BUILTIN\Remote Desktop Users group for this task, as it is a special group scope "Builtin local." Use these groups for Domain Controller-related permissions - if you use them at all.
Moreover, by using the BUILTIN\Remote Desktop Users group (which is analagous to a local group on all Domain Controllers), you are essentially granting RDP access for all accounts in the trusted domain to the Domain Controllers of your trusting domain. This is an awful idea - and likely just an oversight.
