Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. "The specified user does not exist" error message when you try to use the DSMOD command to add a user from one forest to a group in another forest in Windows Server 2003

"The specified user does not exist" error message when you try to use the DSMOD command to add a user from one forest to a group in another forest in Windows Server 2003

View products that this article applies to.

Symptoms

A trust relationship exists between two Microsoft Windows Server 2003 forests in your organization. When you try to use the dsmod command to add a user from one forest to a group in the other forest, you receive an error message that is similar to the following:
dsmod failed: The specified user does not exist
type dsmod /? for help.
For example, suppose that a trust relationship exists between two forests that are named forestA.local and forestB.local. You use the following command line to add User1 from forestA.local to the Administrators group in forestB.local:
dsmod group "cn=administrators,cn=Builtin,dc=forestB,dc=local" -addmbr "cn=user1,cn=users,dc=forestA,dc=local"
In this scenario, you receive the following error message:
dsmod failed:cn=administrators,cn=Builtin,dc=forestB,dc=local:The specified user does not exist.
type dsmod /? for help.

↑ Back to the top

Cause

This behavior occurs because the dsmod command is not designed to support scenarios where a trust relationship exists between forests.

↑ Back to the top

Workaround

To work around this behavior, use one of the following methods:
  • Use Active Directory Users and Computers to add the user to the group.
  • Use the following Microsoft Visual Basic script to add the user to the group. Name the script Dsaddmbr.vbs. 
    for each strArg in wscript.Arguments.Named
	strValue = wscript.Arguments.Named.Item(strArg)
	select case lcase(strArg)
		case "g" ' logging
			groupDN = strValue
		case "u"
			userDN = strValue
		case "?","help","h"
			wscript.echo "cscript /nologo " & wscript.scriptname & " [/g:groupDN] [/u:userDN]"
			wscript.quit			
	end select
next

set oProv = GetObject("LDAP:")
set oGroup = oProv.OpenDSObject("LDAP://" & groupDN, vbnullstring, vbnullstring, 1)
set oUser = oProv.OpenDSobject("LDAP://" & userDN, vbnullstring, vbnullstring, 1)

oValue = oUser.Get("objectSid")
oString = OctetString2String(oValue)
oGroup.PutEx 3, "member", Array("<Sid=" & oString & ">")
oGroup.SetInfo

Function OctetString2String(byVal OctetStr)
dim result
dim j, loByte, hiByte

    result = ""
    for j = lbound(OctetStr) to ubound(OctetStr)
        hiByte = ascb(midb(OctetStr,j+1,1))
        loByte = hiByte mod 16
        hiByte = hiByte \ 16
        result = result & hex(hiByte) & hex(loByte)
    next

    OctetString2String = result
End Function
    To run the script, use the following syntax:
    cscript /nologo dsaddmbr.vbs [/g:groupDN] [/u:userDN]

↑ Back to the top

More information

For more information about the dsmod command, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/3558C421-BA3D-4B8F-A107-B9058CC0F2861033.mspx
For additional information about the Dsmod.exe command-line tool and other command-line tools that you can use with Active Directory in Windows Server 2003, click the following article numbers to view the articles in the Microsoft Knowledge Base:
298882� The new command-line tools for Active Directory in Windows Server 2003
322684� How to use the Directory Service command-line tools to manage Active Directory objects in Windows Server 2003

↑ Back to the top

Keywords: KB892239, kbtshoot, kbprb, kbactivedirectory, kbwinservds

↑ Back to the top

Article Info
Article ID : 892239
Revision : 4
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 281