(Msg. 1) Posted: Thu Jun 26, 2008 3:00 pm
Post subject: NetUserGetLocalGroups in multi-domain AD environment Archived from groups: microsoft>public>win2000>active_directory (more info?)
Hi,
I'm using this Windows API to obtain the local groups that a domain
user is a member of.
We have a domain tree including DomainA and DomainB. With domains at
Domain/Forest Functional level Windows Server 2003. When the call is
issued on a server in DomainA it does not return any local groups for
user DomainB\userid1 when that id is present as a member of a
universal group DomainA\group1 included within a local group on the
server.
When the userid is a member of the group DomainB\group1 (itself also
nested in the local group) the call does return the local group.
I would have expected the membership of DomainB\userid1 in the
universal group DomainA\group1 to be known throughout the two domains
- which trust each other implicitly via the parent. Actually, the
same behavior is seen when one is a child of the other.
Is the processing of the NetUserGetLocalGroups API in this environment
documented somewhere? Or are there other AD restrictions relevant to
universal groups which I need to be aware of?
(Msg. 2) Posted: Mon Jul 07, 2008 6:29 pm
Post subject: Re: NetUserGetLocalGroups in multi-domain AD environment [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
"Sushil" <Sushil.RemoveThis@newsgroup.nospam> wrote in message
news:3r5764lpfs8t23u699c9sq7brnnr4vajv9@4ax.com...
> Hi,
>
> I'm using this Windows API to obtain the local groups that a domain
> user is a member of.
>
> We have a domain tree including DomainA and DomainB. With domains at
> Domain/Forest Functional level Windows Server 2003. When the call is
> issued on a server in DomainA it does not return any local groups for
> user DomainB\userid1 when that id is present as a member of a
> universal group DomainA\group1 included within a local group on the
> server.
>
> When the userid is a member of the group DomainB\group1 (itself also
> nested in the local group) the call does return the local group.
>
> I would have expected the membership of DomainB\userid1 in the
> universal group DomainA\group1 to be known throughout the two domains
> - which trust each other implicitly via the parent. Actually, the
> same behavior is seen when one is a child of the other.
>
> Is the processing of the NetUserGetLocalGroups API in this environment
> documented somewhere? Or are there other AD restrictions relevant to
> universal groups which I need to be aware of?
>
> TIA.
(Msg. 3) Posted: Tue Jul 08, 2008 9:37 am
Post subject: Re: NetUserGetLocalGroups in multi-domain AD environment [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Thanks, but I am using LG_INCLUDE_INDIRECT already.
Note that the call works for user DomainB\userid1if it is a member of
DomainB\group1 (ie LG_INCLUDE_INDIRECT is being observed) - but not if
it is a member of DomainA\group1.
It is as if membership in a DomainA universal group is not being seen
on a NetUserGetLocalGroups call by a DomainA server for a DomainB
user. Maybe the DomainB DC cannot determine this for the call?
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You can post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows Other