Re: Multiple Domains

From: EMan <EMan@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 10 Jun 2007 16:25:01 -0700

"Herb Martin" wrote:

"EMan" <EMan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8F17E774-57C2-41B7-90ED-F708DAAA136D@xxxxxxxxxxxxxxxx

I have two Domains D1 and D2 where there is a one way trust between D1 and
D2
(D1 trusts D2).

Then users in D2 can (be granted) access (to) resources in D1.

I have an application using LDAP to read the AD in D2 from
D1 using a service account from D2.

Ok.

The service account is a user in the OU I am trying to read.

Doesn't matter. Membership in any particular OU has nothing to
do with access, except in the sense that you have chosen to delegate
there.

When the LDAP is executed I get some users, but not all
of the users and I can't understand the reason why all users are not
returned. What can I do to read all of the users?

Chances are the same results will be returned if you execute this as
any other user (e.g., and Admin) would get the same results -- IF
not then you likely have a permission problem where you have not
delegated the necessary permissions to the account.

Yes this is true, I used an admin account and received 2 out of 218 users.

Check you script locally, check it using another (admin) user, check
it remote with the admin until you can figure out what the specific
difference is if you have incorrect results.

I checked the script locally in D1 and I can read each OU and receive the
correct number of users. When I use an admin account to read from D2, I get
the same results as the service account. It is not possible in this
application to get a two way trust. Should this work without a two way trust?

Thanks,
EMan

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

Follow-Ups:
- Re: Multiple Domains
  - From: Herb Martin

References:
- Re: Multiple Domains
  - From: Herb Martin

Prev by Date: Re: Multiple Domains
Next by Date: Re: Interactive logon: Message text for users attempting to log on
Previous by thread: Re: Multiple Domains
Next by thread: Re: Multiple Domains
Index(es):
- Date
- Thread

Relevant Pages

Re: Password management policy when an admin left the company ?
... If not i think you have to check any server which service account is used. ... several admin and services accounts stored ... As he had access to the protected file containing every passwords, ...
(microsoft.public.windows.server.security)
Re: Password management policy when an admin left the company ?
... As he had access to the protected file containing every passwords, he could be able to use it after he left the company. ... An interactive, personal admin account password should exist in only two places - in the actual account itself, and in the memory of the admin account user. ... Of course, you cannot make people actually forget passwords they have known, so it might not be a bad idea to change all of the service account passwords when an admin leaves. ...
(microsoft.public.windows.server.security)
Re: Client Installation Issues: SMS 2.0 SP5
... The sms service account has domain admin rights. ... Especially given the service account IS a domain admin account? ... > the install. ...
(microsoft.public.sms.setup)
Re: SQL windows account
... > Can the account to run SQL server belong to USER group or ... >>SQL Service account absoloutely does NOT have ... >>Jasper Smith (SQL Server MVP) ... >>> I happened to be a box and DB admin and i have a local ...
(microsoft.public.sqlserver.security)
Re: Password management policy when an admin left the company ?
... several admin and services accounts stored in a protected file. ... An interactive, personal admin account password should exist in only two places - in the actual account itself, and in the memory of the admin account user. ... Of course, you cannot make people actually forget passwords they have known, so it might not be a bad idea to change all of the service account passwords when an admin leaves. ...
(microsoft.public.windows.server.security)