Resolution
fact
Directory and Resource Administrator 6.x
fact
Directory and Resource Administrator 7.x
symptom
Directory and Resource Administrator does not allow Assistant Admins to add users from a domain in one forest to a universal security group in another forest.
symptom
If an Assistant Admin selects a universal security group and attempts to add users to it, a list of trusted domains appears that the Assistant Admin can choose from to select the account to be added. Even though a two way trust might exist between two domains in two different forests, no objects from the trusted domain in the second forest are be available to add to a universal group in the first.
cause
Local group: Accounts from any trusted domain in any forest Universal group: Accounts from any trusted domain in the same forest
Directory and Resource Administrator 6.x
fact
Directory and Resource Administrator 7.x
symptom
Directory and Resource Administrator does not allow Assistant Admins to add users from a domain in one forest to a universal security group in another forest.
symptom
If an Assistant Admin selects a universal security group and attempts to add users to it, a list of trusted domains appears that the Assistant Admin can choose from to select the account to be added. Even though a two way trust might exist between two domains in two different forests, no objects from the trusted domain in the second forest are be available to add to a universal group in the first.
cause
This behavior is by design of the product and adheres to Microsoft Windows' guidelines regarding cross-domain and cross-forest group membership. The following list displays the three security group types and the possible sources for their member accounts:
- Global group: Accounts from the same domain only
Additional Information
Formerly known as NETIQKB17713