戻る
-
タイトル
Group Membership tab is not showing members from other domains -
説明
When adding members from multiple domains, the Group Membership tab may not display members from foreign domains.
Symptoms:
- When viewing group membership in the Active Roles MMC Console or Web Interface, members from foreign domains are missing from the list.
- Only group members from the same domain are displayed.
- In native tools, such as ADUC, foreign group members are displayed properly.
- Domains have two-way trust relationship properly configured.
-
原因
-
対策
In the Active Roles Console, delegate the permissions listed below to the users or groups that need to view group memberships:
If both domains are in the same forest:
- Create a new Access Template, and configure the following permissions
- Apply only to the following classes: ForeignSecurityPrincipal
- Object Access: List - Object
- Object Access: List - Contents
- Object Property Access: Read Properties
- In the domain that the group belongs to, navigate to the ForeignSecurityPrincipals container
- Delegate the previously created Access Template on the ForeignSecurityPrincipals container
If both domains are in different forests:
- Perform the steps above
- In the domain that the group belongs to, navigate to the ForeignSecurityPrincipals container
- Delegate the following Access Templates on the ForeignSecurityPrincipals container
- All Objects - Read All Properties
- Create a new Access Template, and configure the following permissions
-
追加情報
No permissions to read properties of the users are required. No permissions to list domain or OUs are required.