I've source domain local group applied on resource ACL. Resource have been migrated to target domain server along with ACL permissions as-is. Source domain local group have also been migrated to target domain using sidhistory and scope has been converted to Global group in target domain. This migrated global group (having sid of source domain local group in sidhistory attribute) is nested inside source domain local group as well. So if I add newly created user in migrated global group, then user is able to access resource.
So my question is how access is granted to user because source domain local group will not be recognized in target domain (as authorization scope is limited to the domain where it's created)?
Is this because of the fact that user's token containing sid of source domain local group in sidhistory attribute will be compared to source domain local group applied on resource ACL? But how source domain local group will be recognized while access check (because of authorization scope is limited to source domain only)?
Is this because of the fact that migrated global group is nested inside source domain local group which is applied on resource ACL? Does access check is performed against migrated global group directly by ignoring source domain local group? Does access check is also performed against nested group which is not directly applied on resource ACL?
Kindly answer and explain technically specific to mentioned points in above scenario. Please explain also how exactly access check is performed in this scenario OR in general.