none
security group checking within forest

    Question

  • Hello

    I have the following domain controllers

    forest.com

    oak.forest.com

    ash.forest.com

    I have user testuser in Domain Users in the ash subdomain.

    Domain Users is a member of a universal group TestGroup in forest.com DC.

    Query against the GC port on forest.com is not able to determine

    that testuser is a member of TestGroup

    Is the memberof query limited in this regard? I'm using nested group chain match also.

    I thought the GC would be aware of the

    nested group (domains users from ash subdomain)

    And determine user membership

    Should this be possible?

    Thank you for any insight.

    Tuesday, February 28, 2017 9:35 PM

All replies

  • Hi,

    You might need Global Scope group, check this link and the detailed information in the technet link will be useful to understand and apply your requirement.

    https://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, February 28, 2017 10:18 PM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 6, 2017 8:24 AM
    Moderator