Anthony, and others who may stumble into this.
It does not look like a splunk issue to me....
I have been dealing with the same issue and did a wireshark of the LDAP exchange to help understand what is going on here. The UK user you added to your US domain group is not picked up by splunk authorization "map group" because Windows server is sending it only the SID value for that user with a common name of "ForeignSecurityPrincipals". I am not sure why Windows server would not send it the full DN of the UK user you have added into the US domain group. I my case what is sent by the Windows DC to represent the externally referenced user looks like this:
Frame 398 includes an unspecified "ForeignSecurityPrincipals" account which is identified by only the SID as follows:
AttributeValue: CN=S-1-5-21-4266372183-2100496958-683817857-1104,CN=ForeignSecurityPrincipals,DC=dapper,DC=dap
...This is basically useless information to splunk. It looks like a Windows server issue to me. I would expect the full CN representing the inserted user to be sent. After all the foreign user ~was~ added successfully to the group.
What we need sent by Windows server is something that looks like the following, which is the form sent for local users placed into the group of interest. It looks like this:
AttributeValue: CN=splunkadmin1,CN=Users,DC=dapper,DC=dap
Again, from my perspective it looks like a Windows 2012R2 DC LDAP issue. Your UK user foreign security principal is not being identified as proper "CN" even though Windows is aware of exactly who this principal is. It is sending only SID and "ForeignSecurityPrincipals".
... View more