That's a good article. Thanks. So if I understand correctly, in my updated example below:
Parent.com DC1 - 5 FSMO roles and GC DC2 - GC User1, member of Child\HR Group Child.Parent.com DC3 - 3 FSMO roles and GC DC4 - *not* a GC DC5 - GC HR Group If I were to rename Parent\User1 to Parent\User2, DC3 and DC5 will see the change, since they're GC's, but DC4 would still remember User1. But the net result would be User2 would still have access via the HR group since its SID remained the same. So is the actual problem just a cosmetic one? I would expect programs that use the DN to lookup a user would fail its lookup, but is that all? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
