same user/groups in different domains RRS feed

  • Question

  • Hi all,

    I have a single forest wherein i Have 3 domains A,B and C. I have 20000 users distributed in these 3 domains. some users have account in all the 3 domains. There are some groups with same name in A and B. I need to import users into fim from all the three domains. The requirement says that a user can login from any domain viz. A\user,B\user and C\user. my concern is how will the objectID be populated for this user? Same is the case with groups. The name of the group say GroupA is in FIM and GroupA is present in Domain A and Domain B with same name.

    If i join on the basis of sAMAccountName, to which domain will it join?how to show a user groups of all the domains and he can add/remove himself from it? Please provide assistance.


    Thursday, October 18, 2012 9:52 AM

All replies

  • You have a more challenging environment due to users with multiple accounts.  The Microsoft best practice is to have one Active Directory MA per forest, and so users with multiple accounts in the forest are going to end up with multiple connectors and that presents a variety of problems.  Life is a lot easier with single connectors per connected data source, otherwise you end up with errors in importing data (like the objectID).  If you split the AD MA into three MAs, you can avoid multiple connectors but then you cannot use AD as a password synchronization source.

    I don't know why users would need multiple accounts in the same forest, but they would probably each need to be managed as separate identities.  Setting your join rule to use userPrincipalName instead of sAMAccountName should allow the sync engine to keep user accounts separate.  But once everything is loaded into the FIM Service/Portal, users will have to log into the portal once for each of their user accounts to do any kind of group membership requests.

    I'm sure there's a more clever way of solving your problem, but I don't think I'd be up for it.


    Monday, October 29, 2012 6:35 PM
  • Thanks Chris.

    A user of Domain A wants a user of Domain B to be added to a Group in Domain B.There is no trust(and will be no trust) between the two domains. Is this scenario possibel? What if the same user in Domain A is present in Domain B also and wats to add him/her in Domain B's Group? I went through


    Tuesday, October 30, 2012 11:52 AM