2 Replies Latest reply on Dec 17, 2018 12:41 PM by DKWAK

    Cross Domain Group users not enumerating

    DKWAK Apprentice

      Scenario:

      Two domains DomA and DomB

      Users members of groups in either domain or both.

       

      We can deploy to group members only where the User and group are members of the same domain.

      So users in DomA who are members of a Group in DomA seems to work fine and the same holds true to DomB.

       

      But if we have a Local or Universal Security group with Users from the Foreign Domain we cannot deploy using the Group.

      even though there is a full trust between domains or so I have been told.

       

      Here is a Table to help explain it

      UserMember Of GroupResult
      DomA\JackDomA\Finance

      Works

      DomB\John

      DomB\SalesWorks
      DomA\JackDomB\SalesFails to resolve
      DomB\JohnDomA\FinanceFails To resolve

       

      Picture for what shows when we browse to the Group

       

      Does anyone have suggestions on how to deal with this?  We will be migrating to one domain but until then...

        • 1. Re: Cross Domain Group users not enumerating
          phoffmann SupportEmployee

          Yeah - careful with those "Domains trust each other" situations, as I tend to find Windows trusts to be VERY iffy / questionable a lot of the time.

           

          So if you want, you can actually troubleshoot this for yourself on your devices reasonably easily.

           

          When a device needs to either pick up "who am I / who is my user" domain-information wise, it runs "LDAPWHOAMI.EXE" (in the LDCLIENT directory - so "C:\Program Files (x86)\LANDesk\LDClient\" by default), and tries to resolve both the user & the machine information (no parameters needed, but it helps running the binary from a CMD-window, so you can see the output).

           

           

           

          The benefit of (re-)running the executable in a controlled fashion is that you can WIRESHARK (for instance) and/or turn on auditing or whatnot on your DC's and find out "where the comms (attempt to) go" ... and where things break (or at least, are refused for some reason).

           

          That should help you find / figure out where things aren't working at least in a way where you can control how / where those requests go.

          1 of 1 people found this helpful
          • 2. Re: Cross Domain Group users not enumerating
            DKWAK Apprentice

            This helps I did not know I could run LDAPWHOAMI manually.

            but it seems LDAPWHOAMI only returns groups I am a member of in the Domain I am a member of.  It does not handle the other domain or any Foreign Security Principles. Anyone have any ideas on how to handle my situation.