| Author | Messages | |
tkern
Posts:6
 | | 11/08/2005 8:12 AM |
| | Message body was not found. | | | |
| GuidoG
Posts:63
| | 11/08/2005 8:22 AM |
| that's not strange - that's by nature of ADUC's new
filtering mechanism, ensuring that you only see membership groups of your own
domain. This shall "reduce" the confusion when looking at the membeships on a
normal DC vs. a GC => they're now show the same...
Check the memberOf attribute of the respective account on a
GC of the child domain via ADSIedit, ldp or other LDAP tools and you'll find his
membership fully intact.
You can also fix this behaviour (so that you'll see the
users's membership in the UG on a child-dom GC) - see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;833883
http://support.microsoft.com/default.aspx?scid=kb;en-us;842632
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Dienstag, 8. November 2005 21:11To:
activedirectorySubject: [ActiveDir] enterprise admin
issues
I have a strange issue where when i add someone to the enterpirse admin UG,
that membership is reflected in the root domain but not in the child domain when
i click the user's member of tab.
I'm running a 2 domain wink2k3sp1 forest in FFL/DFL win2k3.
The root is a resource domain.
All dc's are gc's except the infra masters.
there is no UG caching enabled.
there are 3 sites.
no errors in Directory service log.
netdiag and dcdiag show no errors.
repadmin /showvector /latency /dc=childdomain,dc=root,dc=local shows
nothing being more than a few minutes behind.
dns is ad-intergrated.
site links are set to 15mins.
any place else i should look?
thanks | | | |
| deji
Posts:152
| | 11/08/2005 8:26 AM |
| Normal behavior. It's not something you are doing (or not doing). The
"MemberOf" attrib of a user in one domain does not include the group from
another domain when you are enumerating from a user domain that is foreign to
the group.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tom Kern
Sent: Tue 11/8/2005 12:11 PM
To: activedirectory
Subject: [ActiveDir] enterprise admin issues
I have a strange issue where when i add someone to the enterpirse admin UG,
that membership is reflected in the root domain but not in the child domain
when i click the user's member of tab.
I'm running a 2 domain wink2k3sp1 forest in FFL/DFL win2k3.
The root is a resource domain.
All dc's are gc's except the infra masters.
there is no UG caching enabled.
there are 3 sites.
no errors in Directory service log.
netdiag and dcdiag show no errors.
repadmin /showvector /latency /dc=childdomain,dc=root,dc=local shows nothing
being more than a few minutes behind.
dns is ad-intergrated.
site links are set to 15mins.
any place else i should look?
thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| GuidoG
Posts:63
| | 11/08/2005 8:31 AM |
| hey Déji - I actually thought you had used AD before 2003 hit the market ;-)
see my post on the same topic...
/Guido
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of deji@xxxxxxxxxxxxxx
Sent: Dienstag, 8. November 2005 21:25
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] enterprise admin issues
Normal behavior. It's not something you are doing (or not doing). The
"MemberOf" attrib of a user in one domain does not include the group from
another domain when you are enumerating from a user domain that is foreign to
the group.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tom Kern
Sent: Tue 11/8/2005 12:11 PM
To: activedirectory
Subject: [ActiveDir] enterprise admin issues
I have a strange issue where when i add someone to the enterpirse admin UG,
that membership is reflected in the root domain but not in the child domain
when i click the user's member of tab.
I'm running a 2 domain wink2k3sp1 forest in FFL/DFL win2k3.
The root is a resource domain.
All dc's are gc's except the infra masters.
there is no UG caching enabled.
there are 3 sites.
no errors in Directory service log.
netdiag and dcdiag show no errors.
repadmin /showvector /latency /dc=childdomain,dc=root,dc=local shows nothing
being more than a few minutes behind.
dns is ad-intergrated.
site links are set to 15mins.
any place else i should look?
thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| tkern
Posts:6
| | 11/08/2005 8:33 AM |
| that's not strange - that's by nature of ADUC's new filtering mechanism, ensuring that you only see membership groups of your own domain. This shall "reduce" the confusion when looking at the membeships on a normal DC vs. a GC => they're now show the same...
Check the memberOf attribute of the respective account on a GC of the child domain via ADSIedit, ldp or other LDAP tools and you'll find his membership fully intact.
You can also fix this behaviour (so that you'll see the users's membership in the UG on a child-dom GC) -
see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;833883
http://support.microsoft.com/default.aspx?scid=kb;en-us;842632
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom KernSent: Dienstag, 8. November 2005 21:11To: activedirectorySubject: [ActiveDir] enterprise admin issues
I have a strange issue where when i add someone to the enterpirse admin UG, that membership is reflected in the root domain but not in the child domain when i click the user's member of tab.
I'm running a 2 domain wink2k3sp1 forest in FFL/DFL win2k3.
The root is a resource domain.
All dc's are gc's except the infra masters.
there is no UG caching enabled.
there are 3 sites.
no errors in Directory service log.
netdiag and dcdiag show no errors.
repadmin /showvector /latency /dc=childdomain,dc=root,dc=local shows nothing being more than a few minutes behind.
dns is ad-intergrated.
site links are set to 15mins.
any place else i should look?
thanks | | | |
| deji
Posts:152
| | 11/08/2005 8:38 AM |
| Wrong choice of verb :). "include" is not the right word I meant to say
Who are YOU anyway? :)
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Grillenmeier, Guido
Sent: Tue 11/8/2005 12:29 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] enterprise admin issues
hey Déji - I actually thought you had used AD before 2003 hit the market ;-)
see my post on the same topic...
/Guido
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of deji@xxxxxxxxxxxxxx
Sent: Dienstag, 8. November 2005 21:25
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] enterprise admin issues
Normal behavior. It's not something you are doing (or not doing). The
"MemberOf" attrib of a user in one domain does not include the group from
another domain when you are enumerating from a user domain that is foreign to
the group.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tom Kern
Sent: Tue 11/8/2005 12:11 PM
To: activedirectory
Subject: [ActiveDir] enterprise admin issues
I have a strange issue where when i add someone to the enterpirse admin UG,
that membership is reflected in the root domain but not in the child domain
when i click the user's member of tab.
I'm running a 2 domain wink2k3sp1 forest in FFL/DFL win2k3.
The root is a resource domain.
All dc's are gc's except the infra masters.
there is no UG caching enabled.
there are 3 sites.
no errors in Directory service log.
netdiag and dcdiag show no errors.
repadmin /showvector /latency /dc=childdomain,dc=root,dc=local shows nothing
being more than a few minutes behind.
dns is ad-intergrated.
site links are set to 15mins.
any place else i should look?
thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| GuidoG
Posts:63
| | 11/08/2005 8:50 AM |
| yes, cross-domain UG visisbility worked (or should I say
"works") fine in Win2k - but apparently some customer had
issues with ADUC showing different group-memberships in ADUC depending which DC
you were connected to (DC vs GC), which is why this "new feature" was added in
Win2003.
I didn't like this feature either - especially in an
environment with Exchange and users being in various DLs from other domains,
which you could now no longer see either :-( I complained early on (but
too late for the RTM version)...
So now the confusion is the other way... - thus the
fix.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Dienstag, 8. November 2005 21:30To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] enterprise admin
issues
Thanks!!
I don't remeber, were you able to see cross domain UG membership in
win2k?
also, do you really think this is a good "feature" in your opinion?
i think its led to more confusion for me than the other way....
thanks again
On 11/8/05, Grillenmeier,
Guido guido.grillenmeier@xxxxxx>
wrote:
that's
not strange - that's by nature of ADUC's new filtering mechanism, ensuring
that you only see membership groups of your own domain. This shall "reduce"
the confusion when looking at the membeships on a normal DC vs. a GC =>
they're now show the same...
Check
the memberOf attribute of the respective account on a GC of the child domain
via ADSIedit, ldp or other LDAP tools and you'll find his membership fully
intact.
You can
also fix this behaviour (so that you'll see the users's membership in the UG
on a child-dom GC) - see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;833883
http://support.microsoft.com/default.aspx?scid=kb;en-us;842632
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Dienstag, 8. November 2005 21:11To:
activedirectorySubject: [ActiveDir] enterprise admin
issues
I have a strange issue where when i add someone to the enterpirse admin
UG, that membership is reflected in the root domain but not in the child
domain when i click the user's member of tab.
I'm running a 2 domain wink2k3sp1 forest in FFL/DFL win2k3.
The root is a resource domain.
All dc's are gc's except the infra masters.
there is no UG caching enabled.
there are 3 sites.
no errors in Directory service log.
netdiag and dcdiag show no errors.
repadmin /showvector /latency /dc=childdomain,dc=root,dc=local shows
nothing being more than a few minutes behind.
dns is ad-intergrated.
site links are set to 15mins.
any place else i should look?
thanks | | | |
| listmail
Posts:497
| | 11/08/2005 8:53 AM |
| Using 2K ADUC and assuming you were looking at a GC yes.
This is a filtering mechanism in K3's ADUC. It isn't
implemented any lower. LDAP requests will still show info but it can be
confusing to people when certain things are shown or not
shown.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Tuesday, November 08, 2005 3:30 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] enterprise admin
issues
Thanks!!
I don't remeber, were you able to see cross domain UG membership in
win2k?
also, do you really think this is a good "feature" in your opinion?
i think its led to more confusion for me than the other way....
thanks again
On 11/8/05, Grillenmeier,
Guido guido.grillenmeier@xxxxxx>
wrote:
that's
not strange - that's by nature of ADUC's new filtering mechanism, ensuring
that you only see membership groups of your own domain. This shall "reduce"
the confusion when looking at the membeships on a normal DC vs. a GC =>
they're now show the same...
Check
the memberOf attribute of the respective account on a GC of the child domain
via ADSIedit, ldp or other LDAP tools and you'll find his membership fully
intact.
You can
also fix this behaviour (so that you'll see the users's membership in the UG
on a child-dom GC) - see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;833883
http://support.microsoft.com/default.aspx?scid=kb;en-us;842632
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Dienstag, 8. November 2005 21:11To:
activedirectorySubject: [ActiveDir] enterprise admin
issues
I have a strange issue where when i add someone to the enterpirse admin
UG, that membership is reflected in the root domain but not in the child
domain when i click the user's member of tab.
I'm running a 2 domain wink2k3sp1 forest in FFL/DFL win2k3.
The root is a resource domain.
All dc's are gc's except the infra masters.
there is no UG caching enabled.
there are 3 sites.
no errors in Directory service log.
netdiag and dcdiag show no errors.
repadmin /showvector /latency /dc=childdomain,dc=root,dc=local shows
nothing being more than a few minutes behind.
dns is ad-intergrated.
site links are set to 15mins.
any place else i should look?
thanks | | | |
|
|