<\/div>\n<\/aside>\n","upvoteCount":2,"datePublished":"2014-09-17T15:00:31.000Z","url":"https://community.spiceworks.com/t/ad-delegation-and-child-domains/339682/2","author":{"@type":"Person","name":"briansteinmeyer8653","url":"https://community.spiceworks.com/u/briansteinmeyer8653"}},"suggestedAnswer":[{"@type":"Answer","text":"
We have an AD forest. Root domain plus 3 child domains. We delegate permissions to the help desk so that they can create accounts and manage them in all domains. They are also given relevant manage user group permissions as well. This all works fine. One thing we have noticed is that for child domain users the Help desk people cannot see Universal groups that have been added under member of tab of the User account. They can add the group fine and can change locations to the root domain when adding the group to the user account. If they try to add the group again because they can’t see it they get an error that the user is already a member of the group. As overall administrator I can see the groups fine under child domain users. I am thinking that I am missing a delegation from somewhere?<\/p>\n
Anyone have an idea on this?<\/p>","upvoteCount":2,"datePublished":"2014-09-17T13:56:16.000Z","url":"https://community.spiceworks.com/t/ad-delegation-and-child-domains/339682/1","author":{"@type":"Person","name":"robczymoch","url":"https://community.spiceworks.com/u/robczymoch"}},{"@type":"Answer","text":"
No we are at 2008 domain level now, but we did come from a 2003 domain recently. The problem in the linked article is exactly the same issue we are experiencing.<\/p>","upvoteCount":0,"datePublished":"2014-09-17T15:12:49.000Z","url":"https://community.spiceworks.com/t/ad-delegation-and-child-domains/339682/3","author":{"@type":"Person","name":"robczymoch","url":"https://community.spiceworks.com/u/robczymoch"}},{"@type":"Answer","text":"
eesh Microsoft.<\/p>\n
The problem we are experiencing is the same. All of our DC’s are global catalog servers so ADUC should be showing universal groups even if they do not reside on the local domain. Yet ADUC is not showing but the stated hotfix seems to be for workstations and not your domain controllers. I am researching to see if this applies at the DC or local workstation level.<\/p>","upvoteCount":0,"datePublished":"2014-09-17T15:23:43.000Z","url":"https://community.spiceworks.com/t/ad-delegation-and-child-domains/339682/4","author":{"@type":"Person","name":"robczymoch","url":"https://community.spiceworks.com/u/robczymoch"}},{"@type":"Answer","text":"
What domain/forest functioning level are you running?<\/p>","upvoteCount":0,"datePublished":"2014-09-17T15:25:11.000Z","url":"https://community.spiceworks.com/t/ad-delegation-and-child-domains/339682/5","author":{"@type":"Person","name":"briansteinmeyer8653","url":"https://community.spiceworks.com/u/briansteinmeyer8653"}},{"@type":"Answer","text":"
We are at the 2008 Forest level, the root domain is at 2008 level and our child domains are at 2008 R2 level. As recently as 6 months ago we use to be at the 2003 domain and forest level. Originally this domain started out as 2000 level and has been upgraded over the years.<\/p>","upvoteCount":0,"datePublished":"2014-09-17T15:34:18.000Z","url":"https://community.spiceworks.com/t/ad-delegation-and-child-domains/339682/6","author":{"@type":"Person","name":"robczymoch","url":"https://community.spiceworks.com/u/robczymoch"}},{"@type":"Answer","text":"
So I used Active directory administrator center and it shows the universal groups. Its just ADUC that is the problem. I am going to try the registry fix in that article you linked on a workstation and see if that works.<\/p>","upvoteCount":0,"datePublished":"2014-09-17T15:47:09.000Z","url":"https://community.spiceworks.com/t/ad-delegation-and-child-domains/339682/7","author":{"@type":"Person","name":"robczymoch","url":"https://community.spiceworks.com/u/robczymoch"}},{"@type":"Answer","text":"
I can’t believe it… just implementing the registry change on a workstation running ADUC fixed the issue.<\/p>\n
Good link and information!!!<\/p>","upvoteCount":2,"datePublished":"2014-09-17T15:54:29.000Z","url":"https://community.spiceworks.com/t/ad-delegation-and-child-domains/339682/8","author":{"@type":"Person","name":"robczymoch","url":"https://community.spiceworks.com/u/robczymoch"}},{"@type":"Answer","text":"
Cool, glad it worked out… Were the DC’s fresh installs of 2008 or upgrades?<\/p>","upvoteCount":0,"datePublished":"2014-09-17T15:58:37.000Z","url":"https://community.spiceworks.com/t/ad-delegation-and-child-domains/339682/9","author":{"@type":"Person","name":"briansteinmeyer8653","url":"https://community.spiceworks.com/u/briansteinmeyer8653"}},{"@type":"Answer","text":"
We no longer have the original DC’s that started out with this domain. They have been phased out and replaced over the years. They were always replaced with freshly installed and promoted DC’s.<\/p>","upvoteCount":0,"datePublished":"2014-09-17T16:21:29.000Z","url":"https://community.spiceworks.com/t/ad-delegation-and-child-domains/339682/10","author":{"@type":"Person","name":"robczymoch","url":"https://community.spiceworks.com/u/robczymoch"}}]}}
robczymoch
September 17, 2014, 1:56pm
1
We have an AD forest. Root domain plus 3 child domains. We delegate permissions to the help desk so that they can create accounts and manage them in all domains. They are also given relevant manage user group permissions as well. This all works fine. One thing we have noticed is that for child domain users the Help desk people cannot see Universal groups that have been added under member of tab of the User account. They can add the group fine and can change locations to the root domain when adding the group to the user account. If they try to add the group again because they can’t see it they get an error that the user is already a member of the group. As overall administrator I can see the groups fine under child domain users. I am thinking that I am missing a delegation from somewhere?
Anyone have an idea on this?
2 Spice ups
Are you still running Server 2003? If so, this article should apply:
Microsoft support is here to help you with Microsoft products. Find how-to articles, videos, and training for Microsoft Copilot, Microsoft 365, Windows, Surface, and more.
2 Spice ups
robczymoch
September 17, 2014, 3:12pm
3
No we are at 2008 domain level now, but we did come from a 2003 domain recently. The problem in the linked article is exactly the same issue we are experiencing.
robczymoch
September 17, 2014, 3:23pm
4
eesh Microsoft.
The problem we are experiencing is the same. All of our DC’s are global catalog servers so ADUC should be showing universal groups even if they do not reside on the local domain. Yet ADUC is not showing but the stated hotfix seems to be for workstations and not your domain controllers. I am researching to see if this applies at the DC or local workstation level.
What domain/forest functioning level are you running?
robczymoch
September 17, 2014, 3:34pm
6
We are at the 2008 Forest level, the root domain is at 2008 level and our child domains are at 2008 R2 level. As recently as 6 months ago we use to be at the 2003 domain and forest level. Originally this domain started out as 2000 level and has been upgraded over the years.
robczymoch
September 17, 2014, 3:47pm
7
So I used Active directory administrator center and it shows the universal groups. Its just ADUC that is the problem. I am going to try the registry fix in that article you linked on a workstation and see if that works.
robczymoch
September 17, 2014, 3:54pm
8
I can’t believe it… just implementing the registry change on a workstation running ADUC fixed the issue.
Good link and information!!!
2 Spice ups
Cool, glad it worked out… Were the DC’s fresh installs of 2008 or upgrades?
robczymoch
September 17, 2014, 4:21pm
10
We no longer have the original DC’s that started out with this domain. They have been phased out and replaced over the years. They were always replaced with freshly installed and promoted DC’s.
