A trust relationship exists between two Microsoft Windows Server 2003 forests in your organization. When you try to use the dsmod command to add a user from one forest to a group in the other forest, you receive an error message that is similar to the following:
dsmod failed: The specified user does not exist type dsmod /? for help.
For example, suppose that a trust relationship exists between two forests that are named forestA.local and forestB.local. You use the following command line to add User1 from forestA.local to the Administrators group in forestB.local:
dsmod group "cn=administrators,cn=Builtin,dc=forestB,dc=local" -addmbr "cn=user1,cn=users,dc=forestA,dc=local"
In this scenario, you receive the following error message:
dsmod failed:cn=administrators,cn=Builtin,dc=forestB,dc=local:The specified user does not exist. type dsmod /? for help.
This behavior occurs because the dsmod command is not designed to support scenarios where a trust relationship exists between forests.
To work around this behavior, use one of the following methods:
Use Active Directory Users and Computers to add the user to the group.
Use the following Microsoft Visual Basic script to add the user to the group. Name the script Dsaddmbr.vbs.
for each strArg in wscript.Arguments.Named strValue = wscript.Arguments.Named.Item(strArg) select case lcase(strArg) case "g" ' logging groupDN = strValue case "u" userDN = strValue case "?","help","h" wscript.echo "cscript /nologo " & wscript.scriptname & " [/g:groupDN] [/u:userDN]" wscript.quit end selectnextset oProv = GetObject("LDAP:")set oGroup = oProv.OpenDSObject("LDAP://" & groupDN, vbnullstring, vbnullstring, 1)set oUser = oProv.OpenDSobject("LDAP://" & userDN, vbnullstring, vbnullstring, 1)oValue = oUser.Get("objectSid")oString = OctetString2String(oValue)oGroup.PutEx 3, "member", Array("<Sid=" & oString & ">")oGroup.SetInfoFunction OctetString2String(byVal OctetStr)dim resultdim j, loByte, hiByte result = "" for j = lbound(OctetStr) to ubound(OctetStr) hiByte = ascb(midb(OctetStr,j+1,1)) loByte = hiByte mod 16 hiByte = hiByte \ 16 result = result & hex(hiByte) & hex(loByte) next OctetString2String = resultEnd Function
For additional information about the Dsmod.exe command-line tool and other command-line tools that you can use with Active Directory in Windows Server 2003, click the following article numbers to view the articles in the Microsoft Knowledge Base:
298882 The new command-line tools for Active Directory in Windows Server 2003
322684 How to use the Directory Service command-line tools to manage Active Directory objects in Windows Server 2003