Strange membership issues



Hi all

I have 2 domains (child and parent). Domains in 2003 Native mode. Some of
the child domain users are members of parent domain groups (this groups are
universal security groups)

After I had done authoritative restore OU in child domain and run created
ldf files both child and parent DC's, I could see strange things.

In parent domain groups I see restored accounts but people actually are not
members of these groups, rather resources for this groups are unavailable for
that accounts

When I delete this accounts from groups and add it again - all works

So, at this time problem solved.

But what it was?

I see accounts (not SIDs) in group, but they are fake....

Paul Bergson [MVP-DS]

When you do a restore of a user object it won't restore the group membership
of the user, since user membership is a backlink from a group object.
Therefore you would need to restore the groups as after restoring the users,
groups hold the membership and point to users and users have this backlink
(pointer) to show which groups they belong to. It can be quite confusing.

Specific details

Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.


Hi Bergson!
I know that when I restore OU I restore only accounts
but ntdsutil generates also ldf files for both domains

In this files I see membership.

So I don't understand why membership doesn't work after ldf import via
In child domain all works perfect, but strange problems in parent domain...

I know about link you give and I restore objects with method 2 in that

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question