Alan - that's how I see it as well - it's the unexpected
change that I don't like. Especially in environments where Exchange is not
centralized, it is not uncommon that almost all DCs are GCs - here this
"feature" is definitely a loss.
No matter what - it will cause confusion, as it doesn't
behave like it used to be.
However, you also know that ADUC is really not showing you
all the (direct) group-memberships anyways (as mentioned before neither the 2000
nor the 2003 version show you the memberships of Domain Local Groups of foreign
domains). You might recall my AD Disaster-Recovery session at DEC =>
there is a similar issue when authoritatively recovering objects in AD, as you
have no clue which foreign DLGs an object was a member of... And if
you don't restore the object on a GC, then you also loose knowledge of which
foreign UGs the object was a member of.
In the end, not seeing something in ADUC might be the
least of your worries.
From: Isham, Alan A [mailto:[EMAIL PROTECTED]
Sent: Montag, 17. November 2003 19:38
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain
Guido, thanks for the reply.
I don't like "the feature" and would consider it a
takeaway from the Windows 2000 version. We've spent considerable time
teaching our "office workers" how they can locate ALL groups they are a
member of. The belly aching I heard before will only be magnified
when I tell an executive's administrator to learn ADSI edit too or in place
of. Additionally, I'm concerned Windows Server 2003's adminpak.msi file
will generate unwanted call volume when people expect one thing (aka all groups)
and get something else (aka only domain groups).
I guess it is a "change" thing ....
Alan A Isham
Messaging and Active
Directory Engineering
Intel Corporation in Folsom,
California
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Friday, November 14, 2003 1:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain
Hello Alan, I can see that you won't like this -
it goes without saying, that you're talking about Universal Groups
from other domains in your forest - correct?
In 2000, when connected to a GC, ADMU would display your UG
memberships even when they're from a different domain (as a GC would create the
appropriate BackLinks to your AD account). However, when you connect to
"just" a DC, you would not see these memberships either (as the DC has no clue
of the UGs of another Domain). Ofcourse, even a GC has no idea, which
Domain Local Groups in other domains you are a member of, as
the members of DLGs are not replicated to GCs....
The 2k3 version of ADMU is somewhat more consistent, in
that it ONLY displays your memberships of groups in the SAME domain that you're
connected to. Not so nice, if you've got used to seeing the other UGs on
your GCs, but maybe more consistend overall.
However, don't forget, that the BackLinks to your AD
accounts still exist on a GC - you can see them by checking the memberOf
attribute of the account using other LDAP tools, such as ADSIedit. Here
you will also see the UGs of the "foreign" domains in your
forest.
This bug is a feature - if you don't like it, let me know -
as I also don't like it... and I'm talking to the MS PM about this for sometime
already - but I'm sure you can add some weight to it with a mail to A.L.
yourself as well ;-). Anyone else don't like this "update" ?
;-))
Cheers,
Guido
From: Isham, Alan A [mailto:[EMAIL PROTECTED]
Sent: Freitag, 14. November 2003 17:46
To: [EMAIL PROTECTED]
Subject: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain
Anyone have a known
workaround for the issue below?
I installed MMC Active Directory Users and Computers from
Windows Server 2003 (version 5.2.3790.0) on a new desktop. I can no longer
view groups I am a member of in groups that reside outside of my local domain
like I could with Windows 2000 (version 5.1.3590.0). I've searched MSDN
and Microsoft Support, but don't find any hacks to
resolve.
For example,
User account is amr\jdoe
amr\jdoe is a member of amr\group1, gar\group2,
ger\group3
In MMC AD UC Windows 2000 version 5.1.3590.0, I see the
following:
Doe, John Properties
Member of:
Name Active Directory
Folder
Group1 amr.corp.company.com/blah, blah,
blah
Group2 gar.corp.company.com/blah, blah,
blah
Group3 ger.corp.company.com/blah, blah,
blah
In MMC AD UC Windows Server 2003 version 5.2.3790.0, I see the
following:
Doe, John Properties
Member of:
Name Active Directory
Folder
Group1 amr.corp.company.com/blah, blah,
blah
Where is
Group2 and
Group3???
Thanks for your
help!
Alan A Isham
Active Directory
Engineering
Intel Corporation in Folsom,
California
