Hi we have a PAM setup in which we have bastion forest deployed the same way as per Microsoft documentation.
All is good however we are applying the administrative tier model as well.
in the production forest we have a created a group named "Tier 0 Admins" and it is part of the domain admins.
so any member of T0admin can fully manage the domain.
To apply the PAM concept we have created a PAM group called "Tier 0 Admins" and created a Privilege account in the bastion forest named priv\priv.T0admin
we have remove the T0admin from Tier 0 admins group and and initiated a PAM request that is successful.
We logged in to the DC using priv\priv.T0admin and we can see whoami \groups that T0admin is member of "Tier 0 Admins"
However this user does not have the privilege of the "domain admins" and it seems PAM does not support nested groups in this case. Does any one faced a similar issue and is there any documentation from MS in this regard.