Microsoft KB Archive/263956

= You cannot browse users in a trusted domain =

Article ID: 263956

Article Last Modified on 8/7/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q263956



SYMPTOMS
When users and groups are enumerated from a trusted domain, you may receive the following message:

You are logged on with an account that does not have access to:

Enter the name and password of an account with permissions for this domain and click OK.

This behavior occurs when you perform any of the following operations:
 * Define group membership

For example, you add a domain user to the local Administrators group on a member workstation.
 * Set permissions for users and groups on files and folder shares
 * Set permissions for users and groups on keys in the Windows NT registry
 * Enable an audit trail for object access by users and groups



CAUSE
This behavior occurs when you log on to a trusting domain and try to access the list of users in the trusted domain and only a one-way trust exists. This problem can occur with any of the following one-way explict trusts:
 * Trust between two Windows 2000 domains that reside in different forests
 * Trust between a Windows 2000 domain and a Microsoft Windows NT 4.0 domain
 * Trust between two Windows NT 4.0 domains that have Windows 2000 clients

A Windows 2000-based computer does not try a null session when it requests the list of users from the trusted domain. When the authentication request of the currently logged on user is unsuccessful, the user is prompted for the appropriate credentials.



RESOLUTION
To resolve this issue, use one of the following methods:
 * Supply the user name and password of an account that can be authenticated by the trusted domain.
 * Add a second trust in the reverse direction so that the trusted domain also trusts the trusting domain.
 * Synchronize the user name and passwords for the accounts you will be using for this operation in each domain.



STATUS
This behavior is by design.

Additional query words: fail fails

Keywords: kbenv kberrmsg kbprb KB263956

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.