Synchronizing AD groups with members from different domains
Our AD environment has five domains - Dom1, Dom2, Dom3, Dom4, and Dom5. Dom1 is the root, Dom2-5 are all child domains. The Service Desk 7 server is in Dom2. I am using AD authentication. During Service Desk 7 installation, I chose to map the default groups in Service Desk 7 to AD groups in Dom2. For example, I created an AD group called "Symantec Service Desk Support I", which maps to a group in Service Desk 7 with the same name.
The AD group "Symantec Service Desk Support I" resides in Dom2, but contains user accounts from all domains. When I synchronize AD, Service Desk 7 only synchronizes the members of this group who are in the same domain as the group. In other words, after the synchronization, only Dom2 user accounts show up in the "Symantec Service Desk Support I" group in Service Desk 7. I have to manually update the group membership in Service Desk 7 to include the user accounts which reside in Dom1 and Dom3-5.
After checking other imported groups, it appears that when an AD group contains members from multiple domains, Service Desk 7 only updates group membership with accounts that reside in the same domain as the group. This is a pretty big deal - I do not wish to have to manually track groups in Service Desk 7 when it should be done automatically in AD.