Cannot add group membership to users in a different domain (child domains to parent) (153182)

Return

Feedback submitted.

Was this article helpful?

[Select Rating]

Title

Cannot add group membership to users in a different domain (child domains to parent)
Description

Identity Manager manages a parent domain and 3 child domains. The 3 child domains are synchronized, but the parent is not.

The service account has domain admin (full control) to all 3 domains.

When trying to assign membership from a user to a group in a different domain, a user from other domains cannot be selected.

Is this by design or is there something else that has to be done/configured to make this possible?
Resolution

In order for this to work you have to specify the trusts for each domain, as required:

- Select the domain in Manager, then under "Tasks" select "Specify trust relationships". Then choose the domains.

Then when you assign groups to users you can select from trusted domains.

You can see where this is coming from in the condition for the group assignment (when "Show field definition" is enabled):

((isnull(IsApplicationGroup, 0) = 0) and (
UID_ADSContainer in (
select UID_ADSContainer from ADSContainer
whereIdent_Domain = N'mydomain'
or Ident_Domain in
(
select Ident_DomainTrusts
from DomainTrustsDomain
where Ident_DomainTrusted = N'mydomain')
)))

Please note: it may also be necessary to inlcude a value for "Also look for group members in following domains" in the sync configuration.