Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows 2000 / Active Directory / July 2008

Tip: Looking for answers? Try searching our database.

NetUserGetLocalGroups in multi-domain AD environment

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Sushil - 26 Jun 2008 15:00 GMT
Hi,

I'm using this Windows API to obtain the local groups that a domain
user is a member of.

We have a domain tree including DomainA and DomainB. With domains at
Domain/Forest Functional level Windows Server 2003. When the call is
issued on a server in DomainA it does not return any local groups for
user DomainB\userid1 when that id is present as a member of a
universal group DomainA\group1 included within a local group on the
server.

When the userid is a member of the group DomainB\group1 (itself also
nested in the local group) the call does return the local group.

I would have expected the membership of DomainB\userid1 in the
universal group DomainA\group1 to be known throughout the two domains
- which trust each other implicitly via the parent. Actually,  the
same behavior is seen when one is a child of the other.
 
Is the processing of the NetUserGetLocalGroups API in this environment
documented somewhere? Or are there other AD restrictions relevant to
universal groups which I need to be aware of?

TIA.
Reply to this Message
S. Pidgorny <MVP> - 07 Jul 2008 09:29 GMT
http://msdn.microsoft.com/en-us/library/aa370655(VS.85).aspx

Note LG_INCLUDE_INDIRECT

Signature

Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

> Hi,
>
[quoted text clipped - 21 lines]
>
> TIA.
Reply to this Message
Sushil - 08 Jul 2008 09:37 GMT
>http://msdn.microsoft.com/en-us/library/aa370655(VS.85).aspx
>
>Note LG_INCLUDE_INDIRECT

Thanks, but I am using  LG_INCLUDE_INDIRECT already.

Note that the call works for user DomainB\userid1if it is a member of
DomainB\group1 (ie LG_INCLUDE_INDIRECT is being observed) - but not if
it is a member of DomainA\group1.

It is as if membership in a DomainA universal group is not being seen
on a NetUserGetLocalGroups call by a DomainA server  for a DomainB
user. Maybe the DomainB DC cannot determine this for the call?
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.