Prev: cannot join WinXP to Windows 2000 domain
Next: AD2008 Root privileges required to promote child DC?
From: Sushil on 26 Jun 2008 10:00
Hi,

I'm using this Windows API to obtain the local groups that a domain
user is a member of.

We have a domain tree including DomainA and DomainB. With domains at
Domain/Forest Functional level Windows Server 2003. When the call is
issued on a server in DomainA it does not return any local groups for
user DomainB\userid1 when that id is present as a member of a
universal group DomainA\group1 included within a local group on the
server.

When the userid is a member of the group DomainB\group1 (itself also
nested in the local group) the call does return the local group.

I would have expected the membership of DomainB\userid1 in the
universal group DomainA\group1 to be known throughout the two domains
- which trust each other implicitly via the parent. Actually, the
same behavior is seen when one is a child of the other.

Is the processing of the NetUserGetLocalGroups API in this environment
documented somewhere? Or are there other AD restrictions relevant to
universal groups which I need to be aware of?

TIA.
From: "S. Pidgorny MVP>" on 7 Jul 2008 04:29
http://msdn.microsoft.com/en-us/library/aa370655(VS.85).aspx

Note LG_INCLUDE_INDIRECT

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Sushil" <Sushil(a)newsgroup.nospam> wrote in message
news:3r5764lpfs8t23u699c9sq7brnnr4vajv9(a)4ax.com...
> Hi,
>
> I'm using this Windows API to obtain the local groups that a domain
> user is a member of.
>
> We have a domain tree including DomainA and DomainB. With domains at
> Domain/Forest Functional level Windows Server 2003. When the call is
> issued on a server in DomainA it does not return any local groups for
> user DomainB\userid1 when that id is present as a member of a
> universal group DomainA\group1 included within a local group on the
> server.
>
> When the userid is a member of the group DomainB\group1 (itself also
> nested in the local group) the call does return the local group.
>
> I would have expected the membership of DomainB\userid1 in the
> universal group DomainA\group1 to be known throughout the two domains
> - which trust each other implicitly via the parent. Actually, the
> same behavior is seen when one is a child of the other.
>
> Is the processing of the NetUserGetLocalGroups API in this environment
> documented somewhere? Or are there other AD restrictions relevant to
> universal groups which I need to be aware of?
>
> TIA.


From: Sushil on 8 Jul 2008 04:37
"S. Pidgorny <MVP>" <slavickp(a)yahoo.com> wrote:

>http://msdn.microsoft.com/en-us/library/aa370655(VS.85).aspx
>
>Note LG_INCLUDE_INDIRECT

Thanks, but I am using LG_INCLUDE_INDIRECT already.

Note that the call works for user DomainB\userid1if it is a member of
DomainB\group1 (ie LG_INCLUDE_INDIRECT is being observed) - but not if
it is a member of DomainA\group1.

It is as if membership in a DomainA universal group is not being seen
on a NetUserGetLocalGroups call by a DomainA server for a DomainB
user. Maybe the DomainB DC cannot determine this for the call?
 | 
Pages: 1
Prev: cannot join WinXP to Windows 2000 domain
Next: AD2008 Root privileges required to promote child DC?