Hi everyone,

I have installed an AD Forest for the use of an application, let's say app1.com. For security reasons, a one-way trust has been created between this forest and the forest hosting the accounts of the users' company (contoso.com), so contoso users have access to resources in app1.com, but users and computers in app1.com do not have access to contoso.com resources. Also note that the subnet for the application is behind a firewall.

Then I wanted to use my personal admin account in contoso.com to manage app1.com. The problem is I receive an error when I use Active Directory Users and Computers console in order to create a user account : "An error occurred. Contact your system administrator."

I have no problems managing groups and computer accounts. And once the user account is created by another way, I can modify or even deleted it.And furthermore, I can create the account using PowerShell ! I used this command line :

New-ADUser -name "TEST User" -Enabled $true -AccountPassword $password -Description "this is a test" -DisplayName "TEST User" -GivenName "User" -Surname "TEST" -SamAccountName "user01" -UserPrincipalName "user01@app1.com" -Path "OU=Users,OU=Application,DC=app1,DC=com"

Is this a bug ? An expected behavior through trust ?

I would be pleased to have a solution, or at least an explanation

thanks

With an administrative user in app1.com, it's successful

But with another account from the trusted forest, it's still in error

DNS resolution works well.

Everything seems fine in the trust, the only problems I've detected are :

- LDAP ping from app1 server receive no answer from contoso DC, seems due to Windows 2008 R2 OS (works well on a lab with 2012 R2). This behavior slows the logon process.

- The creation of user accounts

maybe it's woth to check TCP/UDP dynamic ports on both domains and see if they match.

netsh int ipv4 show dynamicport udp

netsh int ipv4 show dynamicport tcp

I don't think it's a problem with dynamic ports. The DC in app1.com have standard dynamic ports. I do not have access to contoso.com DC.

But I've found another error, more explicit, but still weird.

I needed to reset a password. Graphically I had an error of delegation :

Windows cannot complete the password change for user01 because :
The requested operation cannot be completed. The computer must be 
trusted for delegation and the current user account must be configured 
to allow delegation.

The error code is listed as SEC_E_DELEGATION_REQUIRED (0x80090345) in the following link : https://msdn.microsoft.com/en-us/library/windows/desktop/dd542646%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

With Powershell, no error !   8o|

Set-ADAccountPassword -Identity user01 -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password0" -Force)

Hi Bastien,

Based my understanding,  you want to use admin account in contoso.com to manage app1.com. There is one-way trust. Right?

As the error prompt, you still lack of delegation. In fact, though there is trust relationship between the domains, it still needs admin credential for another domain so that you could create the user/change password in the domain. You need to enable credential delegation, so that PowerShell can pass your username/password to another domain, so that it can use them to perform the operation which is failing.

Best Regards,

Mary Dong

Hi Mary,

how does this explain the fact that the same operations failing from the GUI succeed from PowerShell?