Cannot add user to groups from other domains

  • Thread starter Thread starter Amihai Bareket
  • Start date Start date
A

Amihai Bareket

In a multi-domain enviornment, when i'm opening a user page in Users &
computers (current user or new user), I can only add it to it's own domain
groups.
The option to select other domains is grayed out.

What's causing this?

The'res a root domain and several child domains. all domains are members of
the same tree and same forest.
All DC's are WIN2K ADV. Server + SP3.
All domains are in native mode.
All DCs are configured as GC (tried also without...) and DNS.
There's 2 DCs per domain

I've already checked trusts, DNS, GC problems, Switching FSMO holders and
adding a new DC. Also tried to restore the entire forest 2 weeks back in a
lab enviornment - nothing helped!

Please help!
 
Create a domain local group in the child domain, then in the properties of
the local group you can add a user from another domain. Note that you can
only add users to a global group that are in the same domain as the global
group.

Snowdog
 
-----Original Message-----
This works of course, but I'm worried about the other way arround -
Can't view any domain from a user details page (Member of) apart from the
domain which the user belongs to. same effect with a brand new user - The
option to see other domains is grayed out

Can you tell me which Active directory / Win2k Service provides the list of
domains under a user's properties (Member of) - Global Catalog? DNS? WINS?
Domain naming master FSMO???



it to it's own
domain Switching FSMO holders
and forest 2 weeks back in
a


.
Click to expand...
Amihai,

While what Snowdog mentioned is very true, there could be
another solution: UNIVERSAL groups. This situation is one
of the many reasons for Universal Groups...

Since all of your domains are in Native Mode Universal
Groups ( both Security and Distribution ) will be
available to all of your domains.

So that there is no confusion due to my choice of wording:
Universal Groups are only avilable in a Native Mode AD
domain. You could have seven domains with three of them
in Native Mode and the other four in Mixed Mode.
Universal Groups would be available only to those three in
Native Mode.

HTH,

Cary
 
All the domains are in Native mode.
It is possible to open Universal group but it does not solve my problem.
As I mentioned before -
When I open a user's property page under "Users & Computers" and go to
"Member Of" page,
I cannot add the user to ANY group from ANY type from ANY other domain but
his own domain.
The list of available domains is grayed out.

So actually, if i will open a universal group in domain A, i will not be
able to open user B in domain B and add him to that group....

Amihai
 
I've checked and re-checked it in a "Clean" Enviornment (New Root-Child
domain enviornment) -
When I open a user properties and try to add him to groups in the "member
of" tab, I only view groups from the user's domain - Including Universal
groups!
I've tried to open a new universal group in the root domain, synchronized
the entire domain, then opened a user in the child domain and tried to add
him to the universal group from the root domain - I couldn't see the group
in the "member of" tab.

I've tested this with 2 WIN2K Servers, SP3. Both servers are configured as
GC, DNS and WINS servers.

Help?

Amihai Bareket


Jeff Jones said:
This is by design. The cost of resolving the group membership using the
MemberOf tab is too much considering that we would have to traverse all
trusted domains and search for each group that contains the
foreignSecurityPrincipal for the user. The Member Of tab will only show
membership in groups in the local domain and universal groups in the forest.
You will have to go to the group's Members page to see if a user is a member
of a particular group outside the domain.

--
Jeff Jones [MS]
Active Directory Administration Tools Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.



Amihai Bareket said:
This works of course, but I'm worried about the other way arround -
Can't view any domain from a user details page (Member of) apart from the
domain which the user belongs to. same effect with a brand new user - The
option to see other domains is grayed out

Can you tell me which Active directory / Win2k Service provides the list of
domains under a user's properties (Member of) - Global Catalog? DNS? WINS?
Domain naming master FSMO???
Click to expand...
properties
of holders
and
Click to expand...
back
in
Click to expand...
Click to expand...
 
Back
Top