You are currently offline, waiting for your internet to reconnect

"The specified user does not exist" error message when you try to use the DSMOD command to add a user from one forest to a group in another forest in Windows Server 2003

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

SYMPTOMS
A trust relationship exists between two Microsoft Windows Server 2003 forests in your organization. When you try to use the dsmod command to add a user from one forest to a group in the other forest, you receive an error message that is similar to the following:
dsmod failed: The specified user does not exist
type dsmod /? for help.
For example, suppose that a trust relationship exists between two forests that are named forestA.local and forestB.local. You use the following command line to add User1 from forestA.local to the Administrators group in forestB.local:
dsmod group "cn=administrators,cn=Builtin,dc=forestB,dc=local" -addmbr "cn=user1,cn=users,dc=forestA,dc=local"
In this scenario, you receive the following error message:
dsmod failed:cn=administrators,cn=Builtin,dc=forestB,dc=local:The specified user does not exist.
type dsmod /? for help.
CAUSE
This behavior occurs because the dsmod command is not designed to support scenarios where a trust relationship exists between forests.
WORKAROUND
To work around this behavior, use one of the following methods:
  • Use Active Directory Users and Computers to add the user to the group.
  • Use the following Microsoft Visual Basic script to add the user to the group. Name the script Dsaddmbr.vbs.
    for each strArg in wscript.Arguments.Named	strValue = wscript.Arguments.Named.Item(strArg)	select case lcase(strArg)		case "g" ' logging			groupDN = strValue		case "u"			userDN = strValue		case "?","help","h"			wscript.echo "cscript /nologo " & wscript.scriptname & " [/g:groupDN] [/u:userDN]"			wscript.quit				end selectnextset oProv = GetObject("LDAP:")set oGroup = oProv.OpenDSObject("LDAP://" & groupDN, vbnullstring, vbnullstring, 1)set oUser = oProv.OpenDSobject("LDAP://" & userDN, vbnullstring, vbnullstring, 1)oValue = oUser.Get("objectSid")oString = OctetString2String(oValue)oGroup.PutEx 3, "member", Array("<Sid=" & oString & ">")oGroup.SetInfoFunction OctetString2String(byVal OctetStr)dim resultdim j, loByte, hiByte    result = ""    for j = lbound(OctetStr) to ubound(OctetStr)        hiByte = ascb(midb(OctetStr,j+1,1))        loByte = hiByte mod 16        hiByte = hiByte \ 16        result = result & hex(hiByte) & hex(loByte)    next    OctetString2String = resultEnd Function
    To run the script, use the following syntax:
    cscript /nologo dsaddmbr.vbs [/g:groupDN] [/u:userDN]
MORE INFORMATION
For more information about the dsmod command, visit the following Microsoft Web site:For additional information about the Dsmod.exe command-line tool and other command-line tools that you can use with Active Directory in Windows Server 2003, click the following article numbers to view the articles in the Microsoft Knowledge Base:
298882 The new command-line tools for Active Directory in Windows Server 2003
322684 How to use the Directory Service command-line tools to manage Active Directory objects in Windows Server 2003
Properties

Article ID: 892239 - Last Review: 10/30/2006 21:14:46 - Revision: 2.2

  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • kbwinservds kbactivedirectory kbprb kbtshoot KB892239
Feedback