Microsoft KB Archive/892239

= &quot;The specified user does not exist&quot; error message when you try to use the DSMOD command to add a user from one forest to a group in another forest in Windows Server 2003 =

Article ID: 892239

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-





SYMPTOMS
A trust relationship exists between two Microsoft Windows Server 2003 forests in your organization. When you try to use the dsmod command to add a user from one forest to a group in the other forest, you receive an error message that is similar to the following:

dsmod failed: The specified user does not exist

type dsmod /? for help.

For example, suppose that a trust relationship exists between two forests that are named forestA.local and forestB.local. You use the following command line to add User1 from forestA.local to the Administrators group in forestB.local:

dsmod group &quot;cn=administrators,cn=Builtin,dc=forestB,dc=local&quot; -addmbr &quot;cn=user1,cn=users,dc=forestA,dc=local&quot;

In this scenario, you receive the following error message:

dsmod failed:cn=administrators,cn=Builtin,dc=forestB,dc=local:The specified user does not exist.

type dsmod /? for help.



CAUSE
This behavior occurs because the dsmod command is not designed to support scenarios where a trust relationship exists between forests.



WORKAROUND
To work around this behavior, use one of the following methods:  Use Active Directory Users and Computers to add the user to the group.  Use the following Microsoft Visual Basic script to add the user to the group. Name the script Dsaddmbr.vbs. for each strArg in wscript.Arguments.Named strValue = wscript.Arguments.Named.Item(strArg) select case lcase(strArg) case &quot;g&quot; ' logging groupDN = strValue case &quot;u&quot; userDN = strValue case &quot;?&quot;,&quot;help&quot;,&quot;h&quot; wscript.echo &quot;cscript /nologo &quot; & wscript.scriptname & &quot; [/g:groupDN] [/u:userDN]&quot; wscript.quit end select next

set oProv = GetObject(&quot;LDAP:&quot;) set oGroup = oProv.OpenDSObject(&quot;LDAP://&quot; & groupDN, vbnullstring, vbnullstring, 1) set oUser = oProv.OpenDSobject(&quot;LDAP://&quot; & userDN, vbnullstring, vbnullstring, 1)

oValue = oUser.Get(&quot;objectSid&quot;) oString = OctetString2String(oValue) oGroup.PutEx 3, &quot;member&quot;, Array(&quot;&quot;) oGroup.SetInfo

Function OctetString2String(byVal OctetStr) dim result dim j, loByte, hiByte

result = &quot;&quot; for j = lbound(OctetStr) to ubound(OctetStr) hiByte = ascb(midb(OctetStr,j+1,1)) loByte = hiByte mod 16 hiByte = hiByte \ 16 result = result & hex(hiByte) & hex(loByte) next

OctetString2String = result End Function To run the script, use the following syntax:

cscript /nologo dsaddmbr.vbs [/g: ] [/u: ]





MORE INFORMATION
For more information about the dsmod command, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/3558C421-BA3D-4B8F-A107-B9058CC0F2861033.mspx

For additional information about the Dsmod.exe command-line tool and other command-line tools that you can use with Active Directory in Windows Server 2003, click the following article numbers to view the articles in the Microsoft Knowledge Base:

298882 The new command-line tools for Active Directory in Windows Server 2003

322684 How to use the Directory Service command-line tools to manage Active Directory objects in Windows Server 2003

Keywords: kbwinservds kbactivedirectory kbprb kbtshoot KB892239

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.