RE: [ActiveDir] ADUC question

[Grillenmeier, Guido]

Title: ADUC question

could it be that your Account Admin is using a Win2000 workstation?

 

the ADUC in Win2003/XP has a new "feature" which will filter the display of a user's group membership to those of the own domain (i.e. domain local, global and universal groups of the own domain) - it will not show you the memberships in universal groups from other domains. This was done to avoid "confusion" for administrators where one might be focussed with ADUC on a GC and one on a non-GC DC, as the latter won't know the UG memberships in the other domains (as you aluted to)

 

Win2000 ADUC doesn't have this "feature" and will happily display all memberships, when connected to a GC.

 

Neither version of ADUC has the capability to show you a user's domain local group memberships in another domain => so there's always the potential you're not seeing the full picture.

 

BTW - the a hotfix is available to remove the filter "feature" on XP and Win2003 - check out http://support.microsoft.com/default.aspx?scid=kb;en-us;833883 (You cannot view a user's Universal Group membership in Windows Server 2003 Active Directory Users and Computers when Universal Groups do not reside in the local domain)

=> you'll have to request the binaries from the TAM to prepare 2003 servers and XP clients...

=> apparently the fix is also contained in SP2 for XP, but I've seen different results with this (but would be worth to check if you Account Admin may have deployed XP with SP2 and you're using some other box)

 

/Guido

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Freitag, 10. Februar 2006 15:33
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADUC question

Noticed something I don’t think I’ve seen before. Domain structure: empty root + 2 subdomains with users in them. My normal day-to-day account is not a domain admin, and I live in Subdomain A.

I open ADUC, focused on Subdomain A, and search Subdomain B for a user. When I find that user, I click on the Member of tab for that user. All I see are that user’s global group memberships in Subdomain B.

If our Account Admin (she’s not a Domain Admin but has been delegated the rights to create and modify users) opens ADUC and does the same thing, when she looks at the Member Of tab for the same user, she sees not only the Subdomain B global groups, but also the Universal Groups that user is a member of, which live in Subdomain A.

I thought it would be because my console was not focused on a Global Catalog, but I tried it on GC and non-GC domain controllers. Any idea why she sees the Universal groups and no one else does?

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH  45040

Email: [EMAIL PROTECTED] | http://www.cintas.com

This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.