"The specified user does not exist" error message when you try to use the DSMOD command to add a user from one forest to a group in another forest in Windows Server 2003

Article translations Article translations
Article ID: 892239 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

A trust relationship exists between two Microsoft Windows Server 2003 forests in your organization. When you try to use the dsmod command to add a user from one forest to a group in the other forest, you receive an error message that is similar to the following:
dsmod failed: The specified user does not exist
type dsmod /? for help.
For example, suppose that a trust relationship exists between two forests that are named forestA.local and forestB.local. You use the following command line to add User1 from forestA.local to the Administrators group in forestB.local:
dsmod group "cn=administrators,cn=Builtin,dc=forestB,dc=local" -addmbr "cn=user1,cn=users,dc=forestA,dc=local"
In this scenario, you receive the following error message:
dsmod failed:cn=administrators,cn=Builtin,dc=forestB,dc=local:The specified user does not exist.
type dsmod /? for help.

CAUSE

This behavior occurs because the dsmod command is not designed to support scenarios where a trust relationship exists between forests.

WORKAROUND

To work around this behavior, use one of the following methods:
  • Use Active Directory Users and Computers to add the user to the group.
  • Use the following Microsoft Visual Basic script to add the user to the group. Name the script Dsaddmbr.vbs.
    for each strArg in wscript.Arguments.Named
    	strValue = wscript.Arguments.Named.Item(strArg)
    	select case lcase(strArg)
    		case "g" ' logging
    			groupDN = strValue
    		case "u"
    			userDN = strValue
    		case "?","help","h"
    			wscript.echo "cscript /nologo " & wscript.scriptname & " [/g:groupDN] [/u:userDN]"
    			wscript.quit			
    	end select
    next
    
    set oProv = GetObject("LDAP:")
    set oGroup = oProv.OpenDSObject("LDAP://" & groupDN, vbnullstring, vbnullstring, 1)
    set oUser = oProv.OpenDSobject("LDAP://" & userDN, vbnullstring, vbnullstring, 1)
    
    oValue = oUser.Get("objectSid")
    oString = OctetString2String(oValue)
    oGroup.PutEx 3, "member", Array("<Sid=" & oString & ">")
    oGroup.SetInfo
    
    Function OctetString2String(byVal OctetStr)
    dim result
    dim j, loByte, hiByte
    
        result = ""
        for j = lbound(OctetStr) to ubound(OctetStr)
            hiByte = ascb(midb(OctetStr,j+1,1))
            loByte = hiByte mod 16
            hiByte = hiByte \ 16
            result = result & hex(hiByte) & hex(loByte)
        next
    
        OctetString2String = result
    End Function
    To run the script, use the following syntax:
    cscript /nologo dsaddmbr.vbs [/g:groupDN] [/u:userDN]

MORE INFORMATION

For more information about the dsmod command, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/3558C421-BA3D-4B8F-A107-B9058CC0F2861033.mspx
For additional information about the Dsmod.exe command-line tool and other command-line tools that you can use with Active Directory in Windows Server 2003, click the following article numbers to view the articles in the Microsoft Knowledge Base:
298882 The new command-line tools for Active Directory in Windows Server 2003
322684 How to use the Directory Service command-line tools to manage Active Directory objects in Windows Server 2003

Properties

Article ID: 892239 - Last Review: October 30, 2006 - Revision: 2.2
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Keywords: 
kbwinservds kbactivedirectory kbprb kbtshoot KB892239

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com