Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Synchronizing AD groups with members from different domains

Created: 25 Jun 2010 | 1 comment

Our AD environment has five domains - Dom1, Dom2, Dom3, Dom4, and Dom5.  Dom1 is the root, Dom2-5 are all child domains.  The Service Desk 7 server is in Dom2.  I am using AD authentication.  During Service Desk 7 installation, I chose to map the default groups in Service Desk 7 to AD groups in Dom2.  For example, I created an AD group called "Symantec Service Desk Support I", which maps to a group in Service Desk 7 with the same name.

The AD group "Symantec Service Desk Support I" resides in Dom2, but contains user accounts from all domains.  When I synchronize AD, Service Desk 7 only synchronizes the members of this group who are in the same domain as the group.  In other words, after the synchronization, only Dom2 user accounts show up in the "Symantec Service Desk Support I" group in Service Desk 7.  I have to manually update the group membership in Service Desk 7 to include the user accounts which reside in Dom1 and Dom3-5.

After checking other imported groups, it appears that when an AD group contains members from multiple domains, Service Desk 7 only updates group membership with accounts that reside in the same domain as the group.  This is a pretty big deal - I do not wish to have to manually track groups in Service Desk 7 when it should be done automatically in AD.


Comments 1 CommentJump to latest comment

Mark Potts's picture

We have exactly the same problem, thinking it was a bug I raised a support call and spent quite some time going through it, only to be told that is by design ....

Obvioulsy not very happy with the design so raised a change request to get it amended in a future release, Cant see this on the KB yet but support have told me they have raised a KB Article # 53487 for this issue.

The more people that subscribe to it the better chance of getting it included in the next release.

Here is a copy of the KB as emailed to me by Support


Article ID: 53487

FEATURE REQUEST: ServiceDesk 7.0 MR1 - AD import correctly adds all users to the correct groups to reflect the current group memberships in AD

Product and Version
  ServiceDesk 7.0 MR1
Current Product Behavior
How does the product work now that does not meet your needs?
  As a global organisation with multiple domains in a forest we manage our security using AD Security and Distribution groups, the groups are created in our local domain but include users or groups from other domains in the forest.  When these groups are imported into Service Desk 7, not all the users become members of the imported groups so those users do not gain the required rights.  The workaround is to manually add the users to groups which is a duplication of the effort already put in to the AD Security groups.
Requested Product Behavior
How would you like the product to function?
  Make sure the Active Directory import correctly adds ALL users to the correct groups to reflect the current group memberships in Active Directory.
How Product Would Be Used
How would you use the product if this new feature were added?
  We could maintain and manage our security in Active Directory and just leave Service Desk running an AD Import so we do not need to manually configure the rights for each user in Service Desk.

The information contained in the Altiris Knowledgebase is subject to the Terms of Use as outlined at