RE: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain

[Rick Kingslan]

Shit....  I say once again!

 

I AM NOT CONFUSED!  ( Only merely befuddled most of the time - usually by the company I keep on this list....)  ;-)

 

And, as to what we pay our chimps - IMHO, too damn much.  Two of these guys studied like crazy people, got their MCSE's, think they are "The King Shit", and haven't cracked a book since.

 

Company offered to send anyone who wanted to go to a 2 nights a week, 6 month track for the MCSE Windows 2003.  These two haven't even seen the outside of a Win2k3 box, and declined.  Why?  Well, they already *HAD* their Win2k MCSE..... How much different could it possibly be?  Oy.....

 

Sadly, there is but two people in my Dept of 9 that I can trust....  The rest should have their DA rights pulled as they are a danger to themselves and others - then they get to work and are a danger to our network. 

 

And, God love my Network Manager, the guy that my boss reports to.  He can't get out of the Tech stuff, but has no clue what he's doing.  Writes and runs scripts (well intended, but just as destructive) that have totally messed up our Contacts and DL memberships on more occassions than I can count.

 

I'm in the process of defining role based security for our network and I still have the e-mails from when I strongly suggested that Exchange should reside in its own forest for security and overall ease of mangement in an Enterprise setting with multiple independent operating companies.  Well, gee - we didn't do the forest thing and now guess what?  The idiots that constantly screw with AD because of Exchange are still going to need more rights than they should have - because Exchange requires it.

 

OK - enough griping.

 

And, I still use and prefer the CLI.....  :oP

 

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Saturday, November 22, 2003 10:27 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain

Admit it... You are confused. :o)

 

How much you guys paying chimps now a days?

 

  joe

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, November 19, 2003 1:06 AM
To: [EMAIL PROTECTED]

Oh - I'm *NOT* the one confused..... I *DO* use the cli tools.

 

However, the paid chimps - now THAT'S another story!

 

;o>

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Tuesday, November 18, 2003 8:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain

Yeah, One thing I love about MS is the concept of having multiple groups for your membership. One thing I hate about MS is how they handle the bloody things... :o)

 

You shouldn't be confused jumping between 2K and 5.2... Use the command line man!

 

  joe

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, November 17, 2003 11:31 PM
To: [EMAIL PROTECTED]

Joe,

 

Make no mistake - I think the change *IS* for the better - consistency is better than inconsistency.  But, it really shouldn't be this way in the first place.  There should be no reason for me to have to weigh the averages or go from domain to domain to determine what the REAL membership is.

 

Granted, I now am quite conformable with looking in more 'specific', non-traditional (read:invisible to the naked eye) and using new tools to determine what the real membership of a given SP is.

 

I just don't agree that it's a good move.  If it's confusing to me going from Windows 2000 forests to Win2k3 forests (on the same day), imagine what it's like for REAL neophytes.

 

It does give me a reason to think again - that's a nice change!

 

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Monday, November 17, 2003 7:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain

I'm sending one too, but it is going to say great job! Thanks for working towards consistency. :o)

 

It should be good weight as well because I usually am complaining about something. Last time I talked to him I was trying to talk him into giving me AutoGroup - No I don't mean AutoDL.

 

  joe

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T.
Sent: Monday, November 17, 2003 2:12 PM
To: [EMAIL PROTECTED]

Guido,

 

So, you're saying that Andreas is the one that we need to 'convince' that this isn't such a great change?  I've noted this in my testing, and know that I've got a huge learning curve with some of my admins, who don't yet grasp the way that Windows 2000 manages viewing group memberships.

 

Yep - I can drop him a note as well.  ;o)

 

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]

---

From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Friday, November 14, 2003 3:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain

Hello Alan, I can see that you won't like this - it goes without saying, that you're talking about Universal Groups from other domains in your forest - correct?

 

In 2000, when connected to a GC, ADMU would display your UG memberships even when they're from a different domain (as a GC would create the appropriate BackLinks to your AD account). However, when you connect to "just" a DC, you would not see these memberships either (as the DC has no clue of the UGs of another Domain).  Ofcourse, even a GC has no idea, which Domain Local Groups in other domains you are a member of, as the members of DLGs are not replicated to GCs....

 

The 2k3 version of ADMU is somewhat more consistent, in that it ONLY displays your memberships of groups in the SAME domain that you're connected to.  Not so nice, if you've got used to seeing the other UGs on your GCs, but maybe more consistend overall.

 

However, don't forget, that the BackLinks to your AD accounts still exist on a GC - you can see them by checking the memberOf attribute of the account using other LDAP tools, such as ADSIedit. Here you will also see the UGs of the "foreign" domains in your forest.

 

 

This bug is a feature - if you don't like it, let me know - as I also don't like it... and I'm talking to the MS PM about this for sometime already - but I'm sure you can add some weight to it with a mail to A.L. yourself as well ;-).  Anyone else don't like this "update" ? ;-))

 

 

Cheers,

Guido

---

From: Isham, Alan A [mailto:[EMAIL PROTECTED]
Sent: Freitag, 14. November 2003 17:46
To: [EMAIL PROTECTED]
Subject: [ActiveDir] MMC ADUC doesn't view groups I am a member of in my non local domain

Anyone have a known workaround for the issue below?

 

I installed MMC Active Directory Users and Computers from Windows Server 2003 (version 5.2.3790.0) on a new desktop.  I can no longer view groups I am a member of in groups that reside outside of my local domain like I could with Windows 2000 (version 5.1.3590.0).  I've searched MSDN and Microsoft Support, but don't find any hacks to resolve.

 

For example,

 

User account is amr\jdoe

amr\jdoe is a member of amr\group1, gar\group2, ger\group3

 

In MMC AD UC Windows 2000 version 5.1.3590.0, I see the following:

Doe, John Properties

Member of:

Name    Active Directory Folder

Group1    amr.corp.company.com/blah, blah, blah

Group2    gar.corp.company.com/blah, blah, blah

Group3    ger.corp.company.com/blah, blah, blah

 

In MMC AD UC Windows Server 2003 version 5.2.3790.0, I see the following:

Doe, John Properties

Member of:

Name    Active Directory Folder

Group1    amr.corp.company.com/blah, blah, blah

 

Where is Group2 and Group3???

 

Thanks for your help!

Alan A Isham
Active Directory Engineering
Intel Corporation in Folsom, California