Environment
Directory and Resource Administrator 8.5.x
Directory and Resource Administrator 8.6.x
Situation
Administrators from one managed domain can see all other managed domain objects in the 32-bit GUI.
Resolution
There is a method available to hide the other domain objects in the search list. You can configure the administration server option to 'Hide Source-only objects from console lists'. Assistant Admins will still have power to perform a GroupMemberAdd operation, but objects from the trusted domains will not be visible in the search dialog.
To configure the administration server option:
- Open the Delegation and Configuration console.
- Right-click on the Configuration Management node and select Update Administration Server Options...
- Select the Client Options tab.
- Select Hide source-only objects from console lists checkbox and click OK.
Note: An alternative option to hiding the source-only object is to go into the registry and delete the source-only rule. However, with this method, you cannot add users from other domains to groups in the domain where you are an Administrator.
Cause
This is by design. There is a source rule in the 'Objects Current User Manages as Windows Administrator' ActiveView which allows an Assistant Admin to see objects in trusted domains as source objects for GroupMemberAdd operations
Additional Information
The Regsitry path for the Active View related to Objects Current User Manages as a Windows Administrator is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mission Critical Software\OnePoint\Administration\Data\Modules\Security\ActiveView\{22CF4F63-9B54-4BB3-8FD8-7E5CFA107B69}
** Note: It is recomended to have a backup of the Windows Registry before making any changes. Once this Key is deleted and a DRA Multi Master Sync has occured, these changes will replicate to all DRA Servers. ***
Formerly known as NETIQKB40065