Announcement

Collapse
No announcement yet.

Two-domain Active Directory rights conundrum

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Two-domain Active Directory rights conundrum

    Hey all,

    Where to begin (*sigh*). We have two domains in our environment - ZIPSERVE and BIG.OPS. BIG.OPS has an outgoing trust to ZIPSERVE.

    In the ZIPSERVE directory, we have a group called Coordinators who login to their machines under the ZIPSERVE domain, but need to use the Active Directory Sites and Services tool to manage usernames and passwords in the BIG.OPS directory. They typically open an MMC, right-click ZIPSERVE, choose Connect to Domain, type in BIG.OPS and click OK.

    About a week ago, this portion *broke*. After they typed in BIG.OPS and clicked OK, a message now appears saying:

    --
    Windows cannot connect to the new domain because:
    Logon failure: unknown username or password
    --

    *They were NOT prompted for credentials*

    However, they can sort of get around this by right-clicking ZIPSERVE again, this time choosing Connect to Domain Controller, and connect using fully.qualified.name.of.big.ops.machine.

    But unfortunately, once they are connected and want to manage the BIG.OPS domain, they are constantly prompted for their ZIPSERVE credentials and/or are denied access to changes they want to make, even though they have full rights on the OUs they are adjusting.

    I initially suspected a trusts issue between the two domains, but I validated it today and that went fine. I'm not sure where to start - can someone throw me a bone?

    Thanks,
    Brian

  • #2
    Re: Two-domain Active Directory rights conundrum

    Would this be because your users were taken out of the Enterprise Admins group in their home domain?
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

    Comment


    • #3
      Re: Two-domain Active Directory rights conundrum

      Hey there,

      I can certainly check tomorrow, but the Coordinators group (or its members) should not be in the Enterprise Admin group, as they are "average Joe" users that should be very limited in their rights. Any other ideas? I still think there's a bigger cross-domain problem going on here...

      Brian

      Comment

      Working...
      X