memberof not set in a cross-forest scenario

Hi,

I have two forests and I created a bi-directional forest trust. In order to prepare for admt I tried to add some user from the one forest A to a domain-local security group forest B. That seems to be working, as the user is listed in the Groups "members" UI in forest B.

But if you go to the user object in forest A the Group Membership is not listed, and you can also not see that when checking the memberof property. whoami /Groups also does not Show the Group Membership. For a Domain admin in forest A, that is also a member of the builtin/Administrators in forest B, that results in "you must be a member of Domain admins", and permission is denied if you tried to migrate SID, even if you grant migrate SID history explicitely.

So I have two problems
why cant I find the Group in the memberof? (when checking via GUI or get-adprincipalgroupmembership)
Is there any way to migrate the SIDHistory if you are unable to put the account to builtin/Administrators?

What did I miss? Please help .

Thanks in advance,

Martin 


August 28th, 2015 3:23am

Are you using the newest ADMT tool? (link below).

https://connect.microsoft.com/site1164

Configuring the Source and Target Domains for SID History Migration

https://technet.microsoft.com/en-us/library/cc974410%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Free Windows Admin Tool Kit Click here and download it now
August 28th, 2015 2:58pm

Hi Jedi_Administrator,

yes, I'm using the Version mentioned in the first link.

Settings from the second links are applied as I knew thatpage before (it's not the first time I use admt so I'm basically in training with configuring it). It starts working if I used the GUI and I start using "administrator" account from the other Domain. So it seems there is no issue with the settingsto migrate SIDhistory.

My issue sounds more like an issue with the service account used for admt (as well as any other Domain admin in the target forest), as it Looks like the member of is not linked. When adding that account to the source Builtin/Administrator the memberof field does not Show the Group Membership in the user side, while the Group showed the member fine.

in result whoami /Groups does not Show that as part of my ticket.

How to resolve?

Regards,
Martin

August 28th, 2015 3:55pm

Since this is across forests is the account an enterprise admin in both forests?
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2015 4:01pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics