locked
A security Group can't be found in "member of " although the user has been added to the group RRS feed

  • Question

  • Hello Gurus,

    I have a question.

    Please allow me to explain the situation.

     

    The domain is "Domain.com"

    User is located in "A.Domain.com"

    The security group, "InternetAccess"(global group scope) is created in one of the OUs in "Domain.com"

    the user's account can be seen in the "member of" in security group "InternetAccess"

    But in the user account, InternetAccess can't be seen in the "member of"

     

    May I know why's that?

    Thanks a lot in advance :)


    Thank you, msdn =) 99.9% of my questions have been answered :D
    Saturday, May 14, 2011 3:05 PM

Answers

  • As others have rightly said, GG can't have members of any other domain & GG membership is not replicated. GC doesn't contain all the information of other domain, only partial info where as Domain local group contains member of other domain where as member attribute is not. 

    Below article might help you to understand more.

    http://technet.microsoft.com/en-us/library/cc961761.aspx


    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, May 15, 2011 6:13 AM

All replies

  • Are you viewing this on the same domain controller? When did replication last complete? Where is the infrastructure master role? How many of your DCs are GC?
    Saturday, May 14, 2011 6:14 PM
  • Can you double check that group again?  Global Groups can only contain members from their own domain. User is located in a different domain.

    More on group scope here:  http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

     

    Thanks

     

    Mike


    http://adisfun.blogspot.com
    http://twitter.com/mekline
    Saturday, May 14, 2011 6:18 PM
  • Do you have 2 domains? Domain.com and A.domain.com?

    >>the user's account can be seen in the "member of" in security group "InternetAccess"

    You mean “Memebers” tab? You won’t be able to see user account from “Member Of” tab.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Saturday, May 14, 2011 7:48 PM
  • I thought this was normal behavior to be honest...

    EDIT: Looks like it is: http://support.microsoft.com/kb/237905

     


    My website: www.cjwdev.co.uk My blog: cjwdev.wordpress.com

    • Proposed as answer by bshwjt Monday, May 16, 2011 9:09 AM
    Saturday, May 14, 2011 11:31 PM
  • This does not sound correct.

    User from A.Domain.com can NOT be added to domain global group in Domain.com - since domain global group can contain only objects from its own domain.

    Looks like you have either users or groups confused

    hth
    Marcin

     

    Sunday, May 15, 2011 12:09 AM
  • Mark Morowczynski[MSFT]

    Thanks Mark. Sorry, I am pretty new to this. Yes, I am viewing this in the same DC and I am not able to answer the rest of your questions due to lack of knowledge in AD.

     

    Mike Kline<abbr class="affil">MVP</abbr>

    Thanks Mike, this is a big organization with many business units.

    Example, the organization is called "Animal" (sorry about this naive example)

    and they have business units like cats, dogs, rats, elephants across the globe. But cats dogs rats and elephants can still be found in the ADUC.

    their email address would be xx.animal.com, xx.cats.com, xx.dogs.com. xx.rats.com, xx.elephants.com..
    confusing?

    In ADUC, I can see Animal.com being the root. If I wanna connect to cats.com, i will have to right click animal.com and pick cats.com in the drop down.

    There are trusted forest established between them, is that what they call it?

     

    Santhosh Sivarajan-<abbr class="affil">MVP</abbr>

    Thanks Santhosh. The answer is yes :)

     

    Chris128
    Thanks Chris, I am still learning and trying to understand why.

     

    Marcin Policht<abbr class="affil">MVP</abbr>

    <abbr class="affil">
    Thanks Marcin, does my reply to Mike make sense to you?</abbr>

     


    Thank you, msdn =) 99.9% of my questions have been answered :D
    Sunday, May 15, 2011 2:58 AM
  • As others have rightly said, GG can't have members of any other domain & GG membership is not replicated. GC doesn't contain all the information of other domain, only partial info where as Domain local group contains member of other domain where as member attribute is not. 

    Below article might help you to understand more.

    http://technet.microsoft.com/en-us/library/cc961761.aspx


    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, May 15, 2011 6:13 AM
  • Thanks Chris,

    I also agree with you.

     

    Dear All,

    Correct me if I am wrong.


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Monday, May 16, 2011 9:10 AM