Re: How can I add trusted groups to DL-groups with dsmod or other

From: Joe Richards [MVP] (
Date: 01/09/05

Date: Sun, 09 Jan 2005 10:39:52 -0500

Ok your issue is exactly as mentioned by the others. NT does not support the
LDAP interface, there is NO DN that points to anything in the NT domains. What
AD has to do is generate a foreign security principal which is a SID reference
back to the NT domain group and then it adds that fsp to the AD domain local group.

Supposedly you can drop to using the WinNT provider on boths sides to make this
work, Windows will create the fsp for you and insert it into the AD group. Also
supposedly you can use the LDAP provider and the group interface's ADD method
using the <SID=xxx> format to specify the NT group.

For instance the SID


would look like


Retrieving and playing with SIDs is not generally considered fun in ADSI
scripting. You will want to look into the iADsSID interface which you can find
some info on in the news groups and here

Do a google search on iADsSID and look for posting by Max, Marc, and Joe Kaplan.

There is also a small example at

I have sent a note to MSDN that they should produce some more docs on that


Joe Richards Microsoft MVP Windows Server Directory Services
Peter Schmuecking wrote:
> Hello,
> I have an AD domain and a fully trusted NT domain DOM.
> All users are logging in at the NT domain DOM and are grouped in a
> global group ggroup. To grant the users the access to AD ressources
> I created a domain local group dlgroup in AD and manually put the
> global group ggroup into dlgroup. This works well.
> To automate this action for the rest of groups I tried AD command line
> tools e.g. dsmod but this doesn't work. "dsmod group CN=dlgroup,
> DS=mydom,DS=forest,DS=de -addmbr CN=ggroup,DS=DOM".
> A friend tried to script (vbs ?) this with LDAP commands, but he
> could not adress the DOM ressources.
> I am not a script specialist, normaly I use cmd-scripts with command
> line tools like dsmod but I think my problem needs a special script
> solution.
> Can you help me?
> Thank's
> "Joe Richards [MVP]" wrote:
>>Give some concrete examples with DNs so we can see what you are doing. If it can 
>>be done manually it probably can be done with script at the very least.
>>   joe
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>Peter Schmuecking wrote:
>>>I have a trusted nt domain and can add trusted global groups manually,
>>>but cannot work from command line with e.g. dsmod.
>>>The DN of trusted groups is not accepted.
>>>How can I do this manual work with a command line script?
>>>Thanks, Peter