In environments with multiple domains managed by Active Roles, When attempting to delegate an Access Template to a Well-Known SID such as Account Operators, the access template may not apply to the correct object as expected.
There are two domains managed in Active Roles, Domain1 and Domain2
An Access Template is delegated to Domain2\Account Operators, however the delegation is set to Domain1\Account Operators erroneously.
Built-in accounts and other Well-Known SIDs have the same Object SIDs across all domains. Active Roles utilizes these Object SIDs when mapping Access Template links (AT Links) to a Trustee.
This issue has been identified as a product defect and assigned the Defect ID 91777.
Create an alternate group that is not a Well-Known SID to use when delegating Access Templates.
Waiting for fix in a future release of Active Roles.