Cross domain authentication only works properly when users are members of domain GLOBAL groups instead of domain LOCAL groups.
Group memberships are only recognized when user and computer are in the same domain for all types of groups.
In setups where computer and user are part of different domains, domain GLOBAL groups must be used to ensure proper enforcement of rules.
PromoteĀ domain LOCAL groups to domain GLOBAL, or ensureĀ computer and user are in the same domain for all types of groups.