Directory and Resource Administrator does not allow Assistant Admins to add users from a domain in o (NETIQKB17713)

  • 7717713
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

symptom
Directory and Resource Administrator does not allow Assistant Admins to add users from a domain in one forest to a universal security group in another forest.

symptom
If an Assistant Admin selects a universal security group and attempts to add users to it, a list of trusted domains appears that the Assistant Admin can choose from to select the account to be added.  Even though a two way trust might exist between two domains in two different forests, no objects from the trusted domain in the second forest are be available to add to a universal group in the first.

cause

This behavior is by design of the product and adheres to Microsoft Windows' guidelines regarding cross-domain and cross-forest group membership.  The following list displays the three security group types and the possible sources for their member accounts:

  • Global group:              Accounts from the same domain only
  • Local group:                Accounts from any trusted domain in any forest
  • Universal group:         Accounts from any trusted domain in the same forest


Additional Information

Formerly known as NETIQKB17713