You can't use the Active Directory shadow principal groups feature for groups that are always filtered out in Windows
A Windows Server 2012 R2 domain controller that receives an incoming Kerberos ticket-granting ticket (TGT) from across a forest trust boundary would always filter out of the PAC all group SIDs representing well-known accounts that have low-number RIDs in its domain, such as the SID of the "Domain Admins" group in its domain. This issue occurs when a domain controller is in another forest and at the Windows Server 2016 Technical Preview functional level and that forest holds a shadow principal group that has a SID representing a well-known account.
To fix this issue, install May 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2.
Note This update adds the new trust flag TRUST_ATTRIBUTE_PIM_TRUST to Windows Server 2012 R2 domain controllers. The ticket enables those domain controllers to recognize the Kerberos tickets coming from the bastion forest. After you install this update, the domain controller will allow this flag to be set on the trustAttributes attribute of a trusted domain object in its system container, and the domain controller will interpret the groups when it performs SID filtering.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Learn about the terminology that Microsoft uses to describe software updates.
Article ID: 3155495 - Last Review: 05/18/2016 02:16:00 - Revision: 2.0
Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation, Windows 8.1 Enterprise, Windows 8.1 Pro, Windows 8.1
- kbqfe kbsurveynew kbfix kbexpertiseadvanced KB3155495