it's not a bug in 2000 and it's not fixed in 2003 =>
it's just a matter of fact that a non-GC DC can't show you the of users from one
domain in universal groups of another domain. You'll have to connect to a GC to
view these in 2000.
The thing that was "fixed" in 2003 was merely the addition
of a filter, which ensures that no matter which DC (non-GC or GC) you connect to
you will always view the same group-memberships of a user => it ensures
you only view the group-memberships of the user's domain, even if connected to a
GC (i.e. it removes the visisbility of the UG memberships in other domains...).
The KB that "fixes" this "fix" (reverts it to the logic 2000 offers by default)
was already mentioned: http://support.microsoft.com/?kbid=833883
If you want to understand a little more on why things are
visible the way they are, you need to understand about group-membership storage,
forward links and backlinks and how these are replicated etc.. Gil and I
have described this (and many other things) in a lot of detail in the
following whitepaper: http://www.netpro.com/forum/files/Active_Directory_Disaster_Recovery-Part-I.pdf
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Umer Y
Sent: Sonntag, 26. Februar 2006 22:42
To: [email protected]
Subject: Re: [ActiveDir] Big problem with "member of" attribute
On 2/25/06, Al
Mulnick <[EMAIL PROTECTED]>
wrote:
Best bet? If you can't upgrade, call your local Microsoft support and see if they have this in a W2K version. If not, ask if this is something that can be only applied to the management workstation. If that doesn't work, then you'll have to consider some other solution such as writing a management script/tool that uses the GC and enumerates the members for you."By default, in Windows Server 2003, Active Directory Users and Computers only shows group memberships for the local domain. After you apply this hotfix, Windows Server 2003 Active Directory Users and Computers will connect to a global catalog server. If the local domain controller is not also a global catalog server, Active Directory Users and Computers connects to a different global catalog server in the forest. In this case, the forest-wide universal group membership for the user appears in Active Directory Users and Computers."
On 2/24/06, [EMAIL PROTECTED] < [EMAIL PROTECTED] > wrote:
Thanks,
That is my problema, but I am in a Widnows 2000 Active directory.yet
Any idea about that?
Adrião Ferreira Ramos
Superintendência de Tecnologia da Informação
Depto. de Operações e Infra-estrutura - CII
* [EMAIL PROTECTED]
( 11 - 3388-8193
"Phil Renouf" <[EMAIL PROTECTED]>
Enviado Por: [EMAIL PROTECTED]23/02/2006 17:04
[email protected]
[email protected] Re: [ActiveDir] Big problem with "member of" attribute
Have you looked at this KB article?
You cannot view a user's Universal Group membership in Windows Server 2003 Active Directory Users and Computers when Universal Groups do not reside in the local domain
http://support.microsoft.com/?kbid=833883
Phil
On 2/23/06, [EMAIL PROTECTED] < [EMAIL PROTECTED] > wrote:
Hallo,
This is strange and difficult to explain. But I will try
We have many domains, in these domain, many domain controllers.
In on of these domain we have some universal groups to join users from other sub-domains
The problem is this....
I can not see other sub domains universal groups the user belongs to , when I open Act Dur User and Comp, I only see the groups in that sub domain.
But that's not the worst. there are some cases, that if I connect to other domain controllers, it show all the groups.....
I don't know if you can understand exactly what's happening, but that is it.....
Can you help me?
Adrião Ferreira Ramos
Superintendência de Tecnologia da Informação
Depto. de Operações e Infra-estrutura - CII
* [EMAIL PROTECTED]
( 11 - 3388-8193
--
"Ambition is a dream with a V8 engine." ~ Elvis Presley
