"The specified user does not exist" error message when you try to use the DSMOD command to add a user from one forest to a group in another forest in Windows Server 2003

Article translations Article translations
Article ID: 892239 - View products that this article applies to.
Expand all | Collapse all


A trust relationship exists between two Microsoft Windows Server 2003 forests in your organization. When you try to use the dsmod command to add a user from one forest to a group in the other forest, you receive an error message that is similar to the following:
dsmod failed: The specified user does not exist
type dsmod /? for help.
For example, suppose that a trust relationship exists between two forests that are named forestA.local and forestB.local. You use the following command line to add User1 from forestA.local to the Administrators group in forestB.local:
dsmod group "cn=administrators,cn=Builtin,dc=forestB,dc=local" -addmbr "cn=user1,cn=users,dc=forestA,dc=local"
In this scenario, you receive the following error message:
dsmod failed:cn=administrators,cn=Builtin,dc=forestB,dc=local:The specified user does not exist.
type dsmod /? for help.


This behavior occurs because the dsmod command is not designed to support scenarios where a trust relationship exists between forests.


To work around this behavior, use one of the following methods:
  • Use Active Directory Users and Computers to add the user to the group.
  • Use the following Microsoft Visual Basic script to add the user to the group. Name the script Dsaddmbr.vbs.
    for each strArg in wscript.Arguments.Named
    	strValue = wscript.Arguments.Named.Item(strArg)
    	select case lcase(strArg)
    		case "g" ' logging
    			groupDN = strValue
    		case "u"
    			userDN = strValue
    		case "?","help","h"
    			wscript.echo "cscript /nologo " & wscript.scriptname & " [/g:groupDN] [/u:userDN]"
    	end select
    set oProv = GetObject("LDAP:")
    set oGroup = oProv.OpenDSObject("LDAP://" & groupDN, vbnullstring, vbnullstring, 1)
    set oUser = oProv.OpenDSobject("LDAP://" & userDN, vbnullstring, vbnullstring, 1)
    oValue = oUser.Get("objectSid")
    oString = OctetString2String(oValue)
    oGroup.PutEx 3, "member", Array("<Sid=" & oString & ">")
    Function OctetString2String(byVal OctetStr)
    dim result
    dim j, loByte, hiByte
        result = ""
        for j = lbound(OctetStr) to ubound(OctetStr)
            hiByte = ascb(midb(OctetStr,j+1,1))
            loByte = hiByte mod 16
            hiByte = hiByte \ 16
            result = result & hex(hiByte) & hex(loByte)
        OctetString2String = result
    End Function
    To run the script, use the following syntax:
    cscript /nologo dsaddmbr.vbs [/g:groupDN] [/u:userDN]


For more information about the dsmod command, visit the following Microsoft Web site:
For additional information about the Dsmod.exe command-line tool and other command-line tools that you can use with Active Directory in Windows Server 2003, click the following article numbers to view the articles in the Microsoft Knowledge Base:
298882 The new command-line tools for Active Directory in Windows Server 2003
322684 How to use the Directory Service command-line tools to manage Active Directory objects in Windows Server 2003


Article ID: 892239 - Last Review: October 30, 2006 - Revision: 2.2
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
kbwinservds kbactivedirectory kbprb kbtshoot KB892239

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com