Re: Access to resources in the Forest root domain
Well, providing your domains and forest are at the top functional levels, I’d avoid the use of Universal groups unless absolutely necessary. Try to use global and domain local groups instead.
Conceptually, however, using the Universal groups it sounds like you did things right. The one thing I would question is weather the desktop engineers logged off and logged back on to update their security token with their new group membership which is granting them print operator rights on the print server? The other variable here is to ensure the necessary replication has occurred if multiple domain controllers (and especially multiple sites) are involved. You can use the replmon.exe or repadmin.exe tools for this.