Re: Group Membership Problem

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "gordonah" <gordonah@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 1 Sep 2005 02:20:01 -0700

---

TB

there is also a difference in the way group memberships are displayed
depending on whether you are looking from a W2K or W2K3 DC, and whether you
are on DC or GC. This relates specifically to whether membership of groups in
other domains is displayed in the 'member of' tab.

KB 833883 discusses this behaviour.

Gordon


"TB" wrote:

> How would I go about fixing this?
>
> "Ace Fekay [MVP]" wrote:
>
> > In news:320613AF-DF84-4499-A22E-AD79204945AD@xxxxxxxxxxxxx,
> > TB <TB@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I then commented
> > about below:
> > > I am having an issue with one of my domains not receiving updates
> > > from the parent domain. Here is my setup:
> > >
> > > domainA --- DomainB (child)
> > > |
> > > Domain C (child)
> > >
> > > Domain A is The parent Windows 2000
> > > Domain B is the Child Windows 2000
> > > Domain C is the Child Windows 2003 mixed
> > >
> > > Domain C does not show updated membership info from A, however it
> > > does allow access to a resource if I add a name. When I look at a
> > > users member of tab it only shows groups of the local domain, not
> > > groups from Domain A. Domain B is fine.
> > >
> > > Please help.
> > >
> > > thanks
> >
> > It's not working because of the way the forest was upgraded. The forest root
> > DCs must be first upgraded to Win2003 prior to upgrading any child domains.
> > Specifically, the machine holding the Domain Name Master and PDC Emulator
> > role in the forest root domain must be done first, and this is after adprep
> > /forestprep and adprep /domainprep have been run on the forest root domain.
> > Then adprep /domainprep must be run on each domain prior to upgrading the
> > 2000 DCs in those domains.
> >
> > This is taken from the link I provided in the bottom of my post:
> >
> > The following computers must be among the first domain controllers that run
> > Windows Server 2003 in the forest in each domain: . The domain naming master
> > in the forest so that you can create default DNS program partitions.
> > . The primary domain controller of the forest root domain so that the
> > enterprise-wide security principals that Windows Server 2003's forestprep
> > adds become visible in the ACL editor.
> > . The primary domain controller in each non-root domain so that you
> > can create new domain-specific Windows 2003 security principals.
> >
> >
> >
> > 325379 - How to Upgrade Windows 2000 Domain Controllers to Windows Server
> > 2003:
> > http://support.microsoft.com/?id=325379
> >
> >
> > Unfortunately, I think you now have your work cut-out for you.
> >
> > --
> > Regards,
> > Ace
> >
> > Please direct all replies ONLY to the Microsoft public newsgroups
> > so all can benefit.
> >
> > This posting is provided "AS-IS" with no warranties or guarantees
> > and confers no rights.
> >
> > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> > Microsoft Windows MVP - Windows Server - Directory Services
> > Infinite Diversities in Infinite Combinations.
> > =================================
> >
> >
> >
> >
.

---

• References:
  • Group Membership Problem
    • From: TB
  • Re: Group Membership Problem
    • From: Ace Fekay [MVP]
  • Re: Group Membership Problem
    • From: TB

• Prev by Date: csvde + displayName
• Next by Date: KERBEROS
• Previous by thread: Re: Group Membership Problem
• Next by thread: Re: Group Membership Problem
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Domain Security Problem - Please advise ... We have a separate forest root, with child sub-domains which the users log into. ... I've done quite a lot of research on this, and although the symptoms appear to be certificate related, I thought it might actually be a DCOM permissions problem, but from what I can see, everything looks ok. ... If I check the membership of the CERTSVC_DCOM_ACCESS security group in the forest root, all child DC's/computers/domain users membership is correct. ... (microsoft.public.windows.server.security) Re: Slow group creation ... Membership Caching enabled, the group cache for the account on the ... authenticating domain controller is immediately populated. ... catalog server must be contacted for the logon to proceed. ... they are using the remote DC, it could be a replication delay. ... (microsoft.public.windows.server.active_directory) IUSR_<machine_name> Default Group Membership ... Subject: IUSR_Default Group Membership ... for my IIS servers to function. ... However, within the member server, the Local\Users group has the ... account which is installed on a Domain Controller then has normal users ... (NT-Bugtraq) Re: Multi AD Sites users authenticate over WAN ... zone and the problem you are experiencing. ... created a secondary DNS zone in the remote site, ... domain controller residing in the HQ site - do you (for details on this ... Note also that you can actually enforce the site membership on a client ... (microsoft.public.windows.server.active_directory) RE: Domain Controller GPO groups ... Create a sub-OU under the Domain Controller OU ... Set the policies you want in a GPO and filter it based on membership. ... jeopardize your environment's security in the process. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-09