Strange membership issues

A

Alexx_B

Hi all

I have 2 domains (child and parent). Domains in 2003 Native mode. Some of
the child domain users are members of parent domain groups (this groups are
universal security groups)

After I had done authoritative restore OU in child domain and run created
ldf files both child and parent DC's, I could see strange things.

In parent domain groups I see restored accounts but people actually are not
members of these groups, rather resources for this groups are unavailable for
that accounts

When I delete this accounts from groups and add it again - all works

So, at this time problem solved.

But what it was?

I see accounts (not SIDs) in group, but they are fake....
 
P

Paul Bergson [MVP-DS]

When you do a restore of a user object it won't restore the group membership
of the user, since user membership is a backlink from a group object.
Therefore you would need to restore the groups as after restoring the users,
groups hold the membership and point to users and users have this backlink
(pointer) to show which groups they belong to. It can be quite confusing.

Specific details
http://support.microsoft.com/kb/840001

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
A

Alexx_B

Hi Bergson!
I know that when I restore OU I restore only accounts
but ntdsutil generates also ldf files for both domains

In this files I see membership.

So I don't understand why membership doesn't work after ldf import via
ldifde.
In child domain all works perfect, but strange problems in parent domain...

I know about link you give and I restore objects with method 2 in that
manual.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Migrating from multiple child domain environment to single domain with OUs. What's correct method? 5
NetUserGetLocalGroups in multi-domain AD environment 2
Universal groups scope with trusted domains. 5
AD, Ent. Admin rights in child domain 3
cross domain trusts 2
Help with failed child DC! 1
Adding user to Child Domain Group 4
Sites in AD (cont.) 2

Top