as mentioned, using the native tool the visibility depends on the group types. and it seems like you preferr viewing the group-memberships per user. from a child domain's GC you'll at least be able to view the UG memberships of your parent domain via ADSIEDIT.MSC => look at the memberOf attribute. On a parent domain's GC you could then also use ADSIEDIT, configure it to connect to the child domain's GC partition and view the properties of user of your child domain the way that it's stored on the parent domain's GC => in the memberOf attribute of the user you'll see the UGs and DLG memberships of the parent domain.
We're building a tool right now (basically done, but internal beta is still running), that collects all this information (i.e. the links between users and groups etc.) centrally into an SQL or MSDE database. The tool then allows you to view all the groups that a user belongs to in a forest in a nice UI (i.e. it will not only show you the memberhips in the domain's own groups, but also all UGs and DLGs from other domains in your forest). The main purpose though is not for viewing these memberships - it is targeted at helping you automatically restore the memberships in case you've lost them due to restoring accidentally deleted objects in AD. Let me know if you want to know more and I'll put you on my list. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen Sent: Samstag, 10. April 2004 12:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to see users group membership in trusted domain Thanks for saving my sanity, Guido, I have for days been seeking the missing userright or setting in ADUC to show the memberships :-) Are there any easier method to show/set these memberships than cruising through all the parent domain groups? And BTW, copying a user no longer copies the parent domain group memberships - argh! Ole Thomsen > -----Original Message----- > From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] > Sent: Friday, April 09, 2004 7:49 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Unable to see users group membership > in trusted domain > > works as designed. Especially if you're using Domain Local Groups > (DLG). But in 2003 you can even not see the UG memberships of other > domains in ADUC. This will likely be "fixed" in SP1 as only GCs would > have the potential to show UG-memberships from other domains > anyways (a > filter was added in 2003 so that only groups of own domain show up on > the MemberOf tab of an object - in SP1 you're supposed to have a > choice). > > Realize a "non-GC" DC doesn't know of the UG memberships of the other > domains and neither a DC nor a GC will show you the DLG memberships of > the other domains - as these are not replicated to the GC. > > And wait until you try to recover accidentally deleted users in your > environment and recover them. Then not seeing the memberships will be > the least of your worries => they'll actually be missing from > the other > groups... Read this whitepaper if you want to know more: > http://www.aelita.com/library/whitepapers/10_Things_to_Know_ab > out_Active > _Directory_Recovery.pdf > > /Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen > Sent: Mittwoch, 7. April 2004 00:37 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Unable to see users group membership in trusted > domain > > I have two AD domains, of which one is subdomain to the other. > > In the child domain, most users are members of a number of security > groups in the parent domain. > > All was well until recently, but after raising the domain and forest > level to 2003 i can no longer see the child domain users parent domain > membership under the user property "Member of". Furthermore, from this > property sheet i cannot add the user to parent domain groups anymore. > > They are still members, everything works as expected, and i > can add the > users to groups from within the group property - but that is > a hell of a > job to cruise through the all groups everytime a user is created.... > > Please help :-) > > Ole Thomsen > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
