"The specified user does not exist" error message when you try to use the DSMOD command to add a user from one forest to a group in another forest in Windows Server 2003 (892239)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition

SYMPTOMS

A trust relationship exists between two Microsoft Windows Server 2003 forests in your organization. When you try to use the dsmod command to add a user from one forest to a group in the other forest, you receive an error message that is similar to the following:
dsmod failed: The specified user does not exist
type dsmod /? for help.
For example, suppose that a trust relationship exists between two forests that are named forestA.local and forestB.local. You use the following command line to add User1 from forestA.local to the Administrators group in forestB.local:

dsmod group "cn=administrators,cn=Builtin,dc=forestB,dc=local" -addmbr "cn=user1,cn=users,dc=forestA,dc=local"

In this scenario, you receive the following error message:
dsmod failed:cn=administrators,cn=Builtin,dc=forestB,dc=local:The specified user does not exist.
type dsmod /? for help.

CAUSE

This behavior occurs because the dsmod command is not designed to support scenarios where a trust relationship exists between forests.

WORKAROUND

To work around this behavior, use one of the following methods:
  • Use Active Directory Users and Computers to add the user to the group.
  • Use the following Microsoft Visual Basic script to add the user to the group. Name the script Dsaddmbr.vbs. 
    for each strArg in wscript.Arguments.Named
	strValue = wscript.Arguments.Named.Item(strArg)
	select case lcase(strArg)
		case "g" ' logging
			groupDN = strValue
		case "u"
			userDN = strValue
		case "?","help","h"
			wscript.echo "cscript /nologo " & wscript.scriptname & " [/g:groupDN] [/u:userDN]"
			wscript.quit			
	end select
next

set oProv = GetObject("LDAP:")
set oGroup = oProv.OpenDSObject("LDAP://" & groupDN, vbnullstring, vbnullstring, 1)
set oUser = oProv.OpenDSobject("LDAP://" & userDN, vbnullstring, vbnullstring, 1)

oValue = oUser.Get("objectSid")
oString = OctetString2String(oValue)
oGroup.PutEx 3, "member", Array("<Sid=" & oString & ">")
oGroup.SetInfo

Function OctetString2String(byVal OctetStr)
dim result
dim j, loByte, hiByte

    result = ""
    for j = lbound(OctetStr) to ubound(OctetStr)
        hiByte = ascb(midb(OctetStr,j+1,1))
        loByte = hiByte mod 16
        hiByte = hiByte \ 16
        result = result & hex(hiByte) & hex(loByte)
    next

    OctetString2String = result
End Function
    To run the script, use the following syntax:

    cscript /nologo dsaddmbr.vbs [/g:groupDN] [/u:userDN]

MORE INFORMATION

For more information about the dsmod command, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/3558C421-BA3D-4B8F-A107-B9058CC0F2861033.mspx

For additional information about the Dsmod.exe command-line tool and other command-line tools that you can use with Active Directory in Windows Server 2003, click the following article numbers to view the articles in the Microsoft Knowledge Base:

298882 The new command-line tools for Active Directory in Windows Server 2003

322684 How to use the Directory Service command-line tools to manage Active Directory objects in Windows Server 2003

Modification Type:MajorLast Reviewed:6/21/2006
Keywords:kbwinservds kbActiveDirectory kbprb kbtshoot KB892239 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.