Score:1

Unable to rename the DN using trusted domain user credentials

in flag

I have two AD in which two-way trusts relationship(forest and transitive) exists. Trusted domain are trust1.com and trust2.com.

I created a AD-User(TEST1) in trust2.com using administrator credentials of trusted domain (trust1.com). But I am not able to rename the computer username from TEST1 to TEST2 using administrator credentials of trust1.com.

I can see ldap_rename is giving the error insufficient access of the user. The confusion here is the user can add using trusted domain credential, but not able to rename.

Parameters passed to ldap_rename function is 
int ldap_rename_s( ld, dn, newrdn, newparent, deleteoldrdn, sctrls[], cctrls[] );
dn : CN=TEST1,CN=Computers,DC=trust2,DC=com
newrdn: cn=TEST2
newparent: CN=Computers,dc=trust2,dc=com
deleteoldrdn = 1

Do I need to do anything else before doing this operation?

Score:0
ng flag

The standard security settings for an Active Directory domain allow all authenticated user to add new computers, while instead you need to be an administrator (or have specific access rights) to rename or delete one.

It looks like your admin account in trust1.com doesn't have any administrative rights in trust2.com, thus it's treated as a standard user: it can add new computers to the domain but it can't manage existing ones (includes the one itself created).

This is indeed normal, because a domain trust doesn't allow by itself admins from one domain to manage the other one, and vice-versa; in order to achieve this, you'll have to grant admin rights in trust2.com to users or groups from trust1.com, either explicitly (using ACLs) or by placing them in the Administrators domain local group.

user2956014 avatar
in flag
Hi @Massimo I am able to modify after adding the trusted domain users to buildin administrator group of trusting domain. Thanks a lot for your help. But one thing still i have confusion is it was able to add(As you also told it can add) but it was able to delete also only modify (rename) was not working.
Massimo avatar
ng flag
Adding, deleting and modifying require different permissions; it depends on your domain's settings. By default only adding (joining) is allowed for all users, I don't know about your security settings. Maybe your domain allows deletions for all users, or for the one who joined the computer in the first place. Modifying an existing object still requires different rights, too.
Massimo avatar
ng flag
Anyway, the bottom line is, admins in a trusted domain are not automatically admins in the trusting domain; you need to explicitly make them so.
Massimo avatar
ng flag
If my answer helped you, plaease remember to upvote & accept it.
user2956014 avatar
in flag
You answer me helped a lot to understand, I had done, upvote but it gives error Thanks for the feedback! You need at least 15 reputation to cast a vote, but your feedback has been recorded.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.