Windows Server TechCenter >
Windows Server Forums
>
Directory Services
>
Group memberships via two-way transitive trust within child domains...
Group memberships via two-way transitive trust within child domains...
- I work with two primary child domains... CORP.CORP.COM and CORPNY.CORP.COM in a 2003 AD forrest.
Members of CORPNY will be members of CORPNY groups but also several CORP.CORP.COM groups as well. CORP.CORP.COM users are not members of CORPNY groups usually...
Things pertaining to access afforded by the groups are fine, the problem I am having is viewing what groups a CORPNY user is in. When you look at Member Of... you only see the CORPNY groups.
You can see the NY users if you look in a CORP group and vice versa if you have a CORP user in a NY group (I did this for testing - user is visible in group, group is not visible in user Member Of)
These are default child domains set up within AD and I have verified the two-way transitive trust. My real problem is that when I copy a CORPNY user, the new user is not put in any of the CORP.CORP.COM groups, BUT, I will get a pop-up telling me that "Windows can not set the membership of User, New for the following group(s): in group A,B,C, or D because: The specified user does not exist."
I then need to get a screen shot of the error so I know what groups I need to manually add the user to. Usually at least 10. I have someone working on a VB script to help pull this group info from AD and ease the application of the groups to the new user accounts, but this just seems like an error of some type to me.
I have not worked much with child domains, so I'm deciding to punt and ask the community if this is an issue I can resolve or if it is a "feature" I need to just live with continue to work the scripting-based solution.
Thank you very much for any advice you have on this.
Fred- Edited bytfbiii Tuesday, November 03, 2009 3:16 PMspelling
Answers
- Fred,
as far as I understand, this is by design. You could potentially provide visibility of membreship in universal groups from trusted domains by applying http://support.microsoft.com/?kbid=833883 - but note that this still does not take into consideration domain local groups...
hth
Marcin- Marked As Answer bytfbiii Tuesday, November 03, 2009 4:24 PM
- Switch to a scripted approach. This is more of "by design" type of situation...
hth
Marcin- Marked As Answer bytfbiii Tuesday, November 03, 2009 4:24 PM
All Replies
- Fred,
as far as I understand, this is by design. You could potentially provide visibility of membreship in universal groups from trusted domains by applying http://support.microsoft.com/?kbid=833883 - but note that this still does not take into consideration domain local groups...
hth
Marcin- Marked As Answer bytfbiii Tuesday, November 03, 2009 4:24 PM
- Thanks! I'll review this hotfix and see if we can work it in to a service window.
- Looks like that fix will only apply to one user profile and then would need to be applied to whatever DC you are connected to. I actually do 90% of my admin work right from my laptop... I was hoping for something that would fix this issue domain-wide.
- Switch to a scripted approach. This is more of "by design" type of situation...
hth
Marcin- Marked As Answer bytfbiii Tuesday, November 03, 2009 4:24 PM
