Strange membership issues

  • Thread starter Thread starter Alexx_B
  • Start date Start date
A

Alexx_B

Hi all

I have 2 domains (child and parent). Domains in 2003 Native mode. Some of
the child domain users are members of parent domain groups (this groups are
universal security groups)

After I had done authoritative restore OU in child domain and run created
ldf files both child and parent DC's, I could see strange things.

In parent domain groups I see restored accounts but people actually are not
members of these groups, rather resources for this groups are unavailable for
that accounts

When I delete this accounts from groups and add it again - all works

So, at this time problem solved.

But what it was?

I see accounts (not SIDs) in group, but they are fake....
 
When you do a restore of a user object it won't restore the group membership
of the user, since user membership is a backlink from a group object.
Therefore you would need to restore the groups as after restoring the users,
groups hold the membership and point to users and users have this backlink
(pointer) to show which groups they belong to. It can be quite confusing.

Specific details
http://support.microsoft.com/kb/840001

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Bergson!
I know that when I restore OU I restore only accounts
but ntdsutil generates also ldf files for both domains

In this files I see membership.

So I don't understand why membership doesn't work after ldf import via
ldifde.
In child domain all works perfect, but strange problems in parent domain...

I know about link you give and I restore objects with method 2 in that
manual.
 
Back
Top