Article ID: 810070 - View products that this article applies to.
When you try to add a security principal, such as a user or a group, from one domain to a group that is located in a separate trusted domain, the addition of that security principal may be unsuccessful and the Foreign Principal Object (FPO) that is created during the operation to represent this security principal between the two trusts may become corrupted.
This behavior may occur if you have installed previous versions of any of the hotfixes that are described in the "More Information" section of this article.
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/260910/EN-US/ )How to Obtain the Latest Windows 2000 Service Pack
To work around this problem, remove the previous version of the hotfix, and then reinstall the new updated version.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
When you add a security principal (for example, a user or group) from a particular domain to a group that belongs to another trusted domain, the directory service creates a Foreign Principal Object (FPO) that represents this security principal in the trusted domain to which you want to add it. The versions of the Ntdsa.dll file (versions 5.0.2195.5886 to 5.0.2195.6043) that are installed when you apply previous versions of the hotfixes that are listed in the following Microsoft Knowledge Base articles introduce an incorrect behavior. The FPO that is created when you add security principals to a group that is in a trusted domain may be created without a GUID. This behavior may cause the addition of that security principal to the group to be unsuccessful, and the created FPO to be corrupted.
The hotfixes that are described in the following Microsoft Knowledge Base articles have been updated to include the latest version of the Ntdsa.dll file. If you have installed a previous version of any of these hotfixes, and if your Windows 2000-based network uses multiple domains, remove the previous version of the hotfix and then update your computer with the new updated version of the hotfix.
(https://support.microsoft.com/kb/327825/EN-US/ )New Resolution for Problems That Occur When Users Belong to Many Groups
(https://support.microsoft.com/kb/290816/EN-US/ )Underscore in a Network Resource Name for Windows 2000 Cluster Could Not Be Created
(https://support.microsoft.com/kb/304229/EN-US/ )16-Bit OLE Servers Started from 16-Bit Programs Create Extra VDMs in Terminal Server Sessions
(https://support.microsoft.com/kb/313494/EN-US/ )Microsoft Cryptography API May Not Work If the Default CSP Has Been Set Incorrectly
(https://support.microsoft.com/kb/314446/EN-US/ )HasMasterNCs Attributes for Server Objects in the Configuration Container May Become Damaged
(https://support.microsoft.com/kb/318253/EN-US/ )Auditing May Not Work for User Logoff
(https://support.microsoft.com/kb/318873/EN-US/ )The PKI Dialog Box Appears Multiple Times If You Click Cancel
(https://support.microsoft.com/kb/322346/EN-US/ )You Cannot Access Protected Data After You Change Your Password
(https://support.microsoft.com/kb/326797/EN-US/ )Some Windows 2000 Active Directory Hotfixes May Cause a Conflict with SP3 for Windows 2000
(https://support.microsoft.com/kb/326836/EN-US/ )Windows 2000 Desktop Blinks When Explorer.exe Repeatedly Stops Responding
(https://support.microsoft.com/kb/327784/EN-US/ )Windows 2000 Server May Hang After a Local Backup Completes
(https://support.microsoft.com/kb/328477/EN-US/ )Services.exe May Hang When You Restart a Service
(https://support.microsoft.com/kb/328567/EN-US/ )An Access Violation Occurs When a Program Tries to Update Active Directory
(https://support.microsoft.com/kb/328715/EN-US/ )"0x8000500d" Error Message When ADSI Tries to Retrieve an Attribute with a Semicolon in Its Name
(https://support.microsoft.com/kb/325804/ )User Context May Not Have Sufficient Access Rights When You Use the LogonUser Property
Article ID: 810070 - Last Review: February 27, 2007 - Revision: 3.4