Group memberships not visible using ADUC on another domain

[antpoole]

Hi,

We have a Windows 2003 network running in native mode, with an AD forest containing several domains

A user has an account on Domain A, and is a member of several security groups, some of which exist in Domain A, some in Domain B.

When I view the properties of this user's AD account using ADUC on a server within Domain A (the user's home domain), the Member Of tab displays a full list of group memberships for that user.

However, when I view the same user's account using ADUC on a server which exists in Domain B, the Member Of tab only displays those groups which exist in Domain A.

We're using standard AD replication across all domains, and all the groups are universal. As I understand it you should be able to view the full attributes of a users's AD account using ADUC on any server in the forest, but this doesn't seem to be happening in this case. It is causing a problem because when applications send authentication queries to AD on domain B, authentication is failing because it doesn't recognise that this user is a member of the appropriate groups.

Any help or ideas on why this might be happening would be appreciated!

Thanks
Anthony

 

[adcfaq]

anthony,
GC is controlling the group membership. in ur case, domain b server you are querying the user's group membership can't contact a GC for that information, that's why u can't have membership listed. check if that particualr DC or server has access to a GC.

------------------------------------
Directory Services/Exchange Consultant