User Folders in a Parent / Child Domain Structure

Similar Messages

• Parent/Child Domain

  I have a parent/child domain structure. The parent domain consists of domain controllers in three different locations (HO1, HO2, HO3). I have set Sites and Services up so that each remote VPN site (Child domain) has a site link to HO1 and HO2 only. When
  I attempt to ping the parent domain name from a site server it sometimes resolves to HO3 and times out as there isn't an active VPN tunnel between the 2. My question is why would HO3 be replying when it doesn't have a site link to the remote site and in turn
  how can I stop that from being the domain controller that replies?
  Thanks for any advice
  Chris

  Hi,
  To add, Mr. Ace got a good blog regarding Site and Site links, see if it could help here:
  AD Site Design and Auto Site Link Bridging, or Bridge All Site Links (BASL)
  http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Parent child domain best practice

  Currently we have multiple location, each location has its own AD and DNS, they are not connected to each other.
  Mostly the user at these location do not login/access resources of the other location. The few user that needed to login/access resources at multiple location have one account per location. This was fine since we had very few user who
  needed multiple account, but now with their number growing it is creating problems for many of the users.
  We are planning to redo our AD infra structure by installing new AD's on windows 2012 R2 Servers. We would like to setup one parent domain and multiple child domain (one per location).
  Users created on parent domain should be able to login/access resources from each location whereas user of a child domain should be able to only login/access resources at their location.
  Can someone please recommend a best way to do this?
  SKR

  if you are planning on redoing your AD infra, do not create additional AD domains, but rather CONSOLIDATE what you already have into one AD forest with one AD domain. Create OUs to manage objects differently or allow different teams to have their own delegation,
  and create AD sites/subnets to optimize replication and authentication.
  To consolidate AD domains see:
  http://jorgequestforknowledge.wordpress.com/2006/12/27/migrating-stuff-with-admtv3/
  http://jorgequestforknowledge.wordpress.com/2014/06/19/microsoft-released-an-admt-version-to-also-support-w2k12r2/
  Cheers,
  Jorge de Almeida Pinto
  Principal Consultant | MVP Directory Services | IAM Technologies
  COMMUNITY...:
  DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

• Default filters which the users can delete (in parent/child setup)?

  Is it possible in Latitude 2.2.2 to have filters (range filters, refinement filters etc.) applied by default (meaning users see these filters when they log-in), but they can also remove them (using Breadcrumbs portlet) if they wanted to? We tried using the data source (JSON) filters (using "baseFunctions" setting) where we have a parent/child setup, but it seems those filters cannot be removed once applied. Note that the filters can be removed if we do not have a parent/child relationship amongst the data sources, but as soon as we introduce a parent/child relationship amongst the data sources (which we need to have), the filters get sticky and cannot be deleted. Any reason why parent/child relationship causes the filters to become sticky? Any (alternate) means to achieve what we want?

  Thanks Dave - that issue is the issue we are facing, and it does have a hotfix - I will contact support and get it for our client. Thanks for your help.
  Mahim.

• Problems with Centralized No Delegation DNS with forest wide replication in a Parent-Child domain

  Hi,
  I have a parent domain "parent" with a child domain "child" as shown below. There are no delegations and DNS replication is set to forest wide DNS replication for both the child and parent zone. I've read that forest wide replication
  in this scenario is not recommended, but no one explains why.
  Also, running "dcdiag /test:dns" produces the warning below (expected as child is not a DNS zone)
   (test:basic (Basc))
  Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration)
  I'm looking at upgrading the domain, then forest functional level to 2008, but want to ensure that this DNS config doesn't cause any issues.
  Hoping someone can advise.
  The only thing I've noticed is that some SRV records for DCs are not up to date when viewed from other DCs (dns diagnostics and event logs report OK) and all else seems OK.
  Thanks
  IT Support/Everything

  Hey Aetius2012, So I am a little confused
  What is the current domain/forest functional level?
  Normally I would expect to see three dns forward lookup zones in a 2 domain (Parent/Child) environment
  2 zones if the domain/forest level is 2000/2003 where the _msdcs zone has not been moved to its own forward lookup zone - see image below
  In your environment I would expect to see 3 zones (_msdcs.parent.com, parent.com, child.parent.com) on every domain controller because all zones are replicated forest wide.
  I would also expect to see 2 delegation records under the parent.com for _msdcs and child
  I know you stated there was no delegations, and would like to understand better by what you mean. Not saying that anything is configured wrong just trying to get clarification on your environment to give you the best answer from the community as possible.
  Thanks

• RH10 Parent/Child Directory Structure

  I know that you cannot embed a child project within a child project. When the parent displays in the browser, Child Project 1 is on the TOC, but Child Project 2 simply isn't in the Child Project 1 book.
  Now I have a situation where I am trying to restructure my help system to display child projects in multiple different ways for different audiences. We've already had the discussion about why I don't combine 40,000 topics, video files and PDFs into one project and use categories to sort them - the project is too big. Robohelp only handles 2 gigs of files in one project before it crashes. So that is not an option.
  What I did was create multiple parent projects, and publish each child project to multiple destinations using multiple single source layouts. Each parent displays only the child projects that audience needs to see. That part works fine.
  However, now I have a problem on the server that reminds me of embedding child projects into child projects, and I'm wondering if I can even do this.
  A parent project apparently needs to be on the root of the server, or its child projects don't display. In other words, you CANNOT put a parent project into a folder. That means you cannot separate the parents from one another because they all need to be in the same location. So, you cannot have multiple parent projects on one server - you actually need a separate server for each one.
  Am I correct about this? That's what I found out when I tested the scenario. I just want to verify this with someone before I send my progress report.
  Thanks

  Thanks but he only covers the design aspect that I already have up and running - I've already created the multiple parents and generated multiple outputs for the various child projects. Phil says he has different "output folders" but these would have to be on the C:\ drive - that part works.
  The rest of what he describes is what I'd envisioned for the project structure, but in actual fact it doesn't work. The instant I publish a parent project into a folder on the webserver, one level down from the directory root, the child projects do not display on the Table of Contents. They only display at folder Level 2, never at Level 3 , which is where they would be if you embed a child project into another child project - Parent Level 1> Child Level 2 > Child Level 3 - or Level 4, which is where they are in a mergedProjects folder.
  Let's call the webserver "S". Your published output must be to S:\ - the "root," or "Level 1" -with your start file as S:\index.htm and the project files at that same level (except for a few folders, like SSL).
  If you publish to S:\Parent1\index.htm, and publish all its child projects to S:\Parent1\mergedProjects\Child1\index.htm, the child project files are at Level 4 and don't display. Only the parent displays, without any children ot its Table of Contents.
  My problem is that child projects don't display on the server because the parents apparently all need to be published to the root directory - Level 1. Phil doesn't say how he managed this. If he actually did this successfully, I'd be interested in knowing how because I'm out of ideas.
  If I publish all parents to the same directory root, only the first one in alphabetical order displays, and the rest of the parents are lost. So it appears that you need multiple servers with multiple roots to pull this off.
  My question is : Do parent projects HAVE to be at the root of the webserver directory structure in order to display child projects? My testing says "Yes." I'm just looking for someone to confirm that Robohelp isn't coded for the design Phil and I had envisioned so I can go to the executive team with that information.
  Or, if Phil actually successfully did this, can he please tell us how? What were his target paths to the webserver, and how did he structure the folders and output on that webserver?

• Unable to resolve stale data error in parent-child page structure.

  Hi Experts!
  I've got a master-detail page which consists of two VOs(EO based), Lets say
  1. MasterTableVO
  2. DetailTableVO
  This page contains two page buttons "Cancel" and "Apply" till here it works all fine & perfect[by that i mean creating, retrieving, querying etc etc.]
  But now i've created another page which is actually a child page of the above mentioned one.
  Here the user'll enter to view some default configured financial info or may also update the default settings manually.
  In this page, I've got only an advancedTable based on a VO(EO based), lets say
  3. PaymentsTableVO
  This page has only one page button "Ok" and which returns back to the parent page retaining the AM.
  All the three VOs are in the same AM. Functionally untill here also it looks fine, but when i finally apply the data it throws an error on getTransaction().commit();
  Error stack:
  OAF Error Unable to perform transaction on the record.
  Cause: The record contains stale data. The record has been modified by another user.
  Action: Cancel the transaction and re-query the record to get the new data.
  Plz reply ASAP.
  Regards
  Ari

  Hi Sushant,
  Yepp !! I've done this in the AM. After invoking the method from the PGCO.
  Here's the code of the PGCO:
  /*===========================================================================+
  | Copyright (c) 2001, 2005 Oracle Corporation, Redwood Shores, CA, USA |
  | All rights reserved. |
  +===========================================================================+
  | HISTORY |
  +===========================================================================*/
  package AmritTransportation.oracle.apps.po.Transportations.webui;
  import java.io.Serializable;
  import oracle.apps.fnd.common.VersionInfo;
  import oracle.apps.fnd.framework.webui.OADialogPage;
  import oracle.apps.fnd.framework.OAApplicationModule;
  import oracle.apps.fnd.framework.webui.OAPageContext;
  import oracle.apps.fnd.framework.webui.beans.OAWebBean;
  import oracle.apps.fnd.framework.webui.OAControllerImpl;
  import oracle.apps.fnd.framework.webui.OAWebBeanConstants;
  import oracle.apps.fnd.framework.webui.TransactionUnitHelper;
  import oracle.apps.fnd.framework.webui.beans.message.OAMessageTextInputBean;
  * Controller for ...
  public class CostAllocationsPGCO extends OAControllerImpl
  public static final String RCS_ID="$Header$";
  public static final boolean RCS_ID_RECORDED =
  VersionInfo.recordClassVersion(RCS_ID, "%packagename%");
  * Layout and page setup logic for a region.
  * @param pageContext the current OA page context
  * @param webBean the web bean corresponding to the region
  public void processRequest(OAPageContext pageContext, OAWebBean webBean)
  super.processRequest(pageContext, webBean);
  if (!pageContext.isBackNavigationFired(false)) {
  TransactionUnitHelper.startTransactionUnit(pageContext,"CreateTxnCosts");
  if (!pageContext.isFormSubmission()) {
  OAApplicationModule am = pageContext.getApplicationModule(webBean);
  OAMessageTextInputBean Amount = (OAMessageTextInputBean)webBean.findIndexedChildRecursive("Amount");
  String TransportationNum = (String)pageContext.getParameter("pTransportationNum")
  ,TransportationId = (String)pageContext.getParameter("pTransportationId")
  ,LockedFlag = (String)pageContext.getParameter("pLockedFlag")
  ,OrgId = (String)pageContext.getProfile("ORG_ID");
  Serializable[] param = {OrgId,TransportationId};
  if (LockedFlag.equals("N")) {
  am.invokeMethod("DefineDefaultCosts",param);
  else {
  am.invokeMethod("executeCosts",param);
  Amount.setReadOnly(true);
  else {
  if (!TransactionUnitHelper.isTransactionUnitInProgress(pageContext,"CreateTxnCosts",true)) {
  OADialogPage dialogPage = new OADialogPage(NAVIGATION_ERROR);
  pageContext.redirectToDialogPage(dialogPage);
  * Procedure to handle form submissions for form elements in
  * a region.
  * @param pageContext the current OA page context
  * @param webBean the web bean corresponding to the region
  public void processFormRequest(OAPageContext pageContext, OAWebBean webBean)
  super.processFormRequest(pageContext, webBean);
  OAApplicationModule am = pageContext.getApplicationModule(webBean);
  if (pageContext.getParameter("Ok") != null) {
  TransactionUnitHelper.endTransactionUnit(pageContext,"CreateTxnCosts");
  pageContext.forwardImmediately("OA.jsp?page=/AmritTransportation/oracle/apps/po/Transportations/webui/CreateTransportationPG&isChildPage=1"
  ,null
  ,OAWebBeanConstants.KEEP_MENU_CONTEXT
  ,null
  ,null
  ,true
  ,OAWebBeanConstants.ADD_BREAD_CRUMB_YES);
  ===============================================================
  Here's the AM method DefineDefaultCosts:
  ===============================================================
  /**Custom public method to define default cost
  * allocation based on the pre-defined formula
  * for cost allocation keeping parity with the
  * corresponding delivery freight details
  public void DefineDefaultCosts(String StrOrgId,String StrTransportationId) {
  OAViewObject vo = (OAViewObject)getAmritTransportationCreateVO1()
  ,vo1 = (OAViewObject)getAmritTransportationPaymentsVO1()
  ,vo2 = (OAViewObject)getAmritTransportDeliveryLinesVO1();
  OADBTransaction txn = getOADBTransaction();
  ArrayList debugMessage = new ArrayList();
  HashMap PartySet = new HashMap();
  Boolean PartyEntryValid = null;
  String TransportationNum = (String)vo.getCurrentRow().getAttribute("TransportationNum")
  ,CurrencyCode = (String)vo.getCurrentRow().getAttribute("CurrencyCode")
  ,EventType = "TRNSP DELIVERED",PeriodName = null;
  Date AccountingDate = (Date)vo.getCurrentRow().getAttribute("DateDelivered");
  Number Amount = (Number)vo.getCurrentRow().getAttribute("Amount")
  ,Rate = (Number)vo.getCurrentRow().getAttribute("Rate")
  ,TripId = (Number)vo.getCurrentRow().getAttribute("TripId")
  ,OrgId = null,TransportationId = null,CodeCombinationId = new Number(576773);
  int DlvryRowCount = vo2.getRowCount(),CostDistRowCount = vo1.getRowCount();
  if (CostDistRowCount == 0) {
  try {
  OrgId = new Number(StrOrgId);
  TransportationId = new Number(StrTransportationId);
  }catch (Exception e) {}
  //debugMessage.add(new OAException("Inherited Values: "+TransportationId+" "+TransportationNum+" "+CurrencyCode+" "+EventType+" "+AccountingDate+" "+Amount+" "+Rate+" "+OrgId));
  try {
  Connection Conn = txn.getJdbcConnection();
  String v$Script = "Select gp.period_name period\n" +
  "From gl_periods gp\n" +
  "Where upper(gp.period_set_name) = 'AMRIT_CALENDAR'\n" +
  "And gp.adjustment_period_flag = 'N'\n" +
  "And trunc(:1) between nvl(gp.start_date,trunc(sysdate))\n" +
  " and nvl(gp.end_date,trunc(sysdate))\n";
  PreparedStatement PreExecuteQuery = Conn.prepareStatement(v$Script);
  PreExecuteQuery.setDate(1,new java.sql.Date(AccountingDate.dateValue().getTime()));
  for (ResultSet QryOutputRS = PreExecuteQuery.executeQuery();QryOutputRS.next();) {
  PeriodName = QryOutputRS.getString("period");
  v$Script = "Select attl.vendor_id vendorid\n" +
  " ,asp.vendor_name vendor \n" +
  "From apps.amrit_transport_trips att\n" +
  " ,apps.amrit_transport_trip_lines attl\n" +
  " ,ap.ap_suppliers asp\n" +
  "Where att.org_id = :1\n" +
  "And att.trip_id = :2\n" +
  "And att.enabled_flag = 'Y'\n" +
  "And trunc(sysdate) between nvl(att.start_date_active,trunc(sysdate))\n" +
  " and nvl(att.end_date_active,trunc(sysdate))\n" +
  "And attl.org_id = att.org_id\n" +
  "And attl.trip_id = att.trip_id\n" +
  "And attl.enabled_flag = 'Y'\n" +
  "And trunc(sysdate) between nvl(attl.start_date_active,trunc(sysdate))\n" +
  " and nvl(attl.end_date_active,trunc(sysdate))\n" +
  "And attl.location_type = 'HZ'\n" +
  "And asp.enabled_flag = 'Y'\n" +
  "And asp.vendor_id = attl.vendor_id\n" +
  "And trunc(sysdate) between nvl(asp.start_date_active,trunc(sysdate))\n" +
  " and nvl(asp.end_date_active,trunc(sysdate))\n";
  PreExecuteQuery = Conn.prepareStatement(v$Script);
  PreExecuteQuery.setInt(1,Integer.parseInt(OrgId.toString()));
  PreExecuteQuery.setInt(2,Integer.parseInt(TripId.toString()));
  for (ResultSet QryOutputRS = PreExecuteQuery.executeQuery();QryOutputRS.next();) {
  PartySet.put(QryOutputRS.getString("vendorid"),QryOutputRS.getString("vendor"));
  }catch (Exception e) {}
  /* vo2.first();
  for (int i = 1;i <= DlvryRowCount;i++) {
  if (vo2.getCurrentRow().getAttribute("CancelFlag").equals("N")) {
  PartyEntryValid = PartySet.add((Number)vo2.getCurrentRow().getAttribute("VendorId"));
  //debugMessage.add(new OAException("Set VendorId: "+vo2.getCurrentRow().getAttribute("VendorId")));
  vo2.next();
  //debugMessage.add(new OAException("PartySet: "+PartySet.entrySet()));
  for (Iterator iter = PartySet.entrySet().iterator();iter.hasNext();) {
  Map.Entry entry = (Map.Entry)iter.next();
  String VendorName = (String)entry.getValue();
  Number Cost = null;
  int PartyId = Integer.parseInt(entry.getKey().toString());
  float Qty = 0;
  try {
  vo2.first();
  for (int i = 1;i <= DlvryRowCount;i++) {
  //debugMessage.add(new OAException("VO VendorId: "+vo2.getCurrentRow().getAttribute("VendorId")+" Cancelled: "+vo2.getCurrentRow().getAttribute("CancelFlag")));
  if (vo2.getCurrentRow().getAttribute("CancelFlag").equals("N")) {
  int VendorId = Integer.parseInt(vo2.getCurrentRow().getAttribute("VendorId").toString());
  float Quantity = Integer.parseInt(vo2.getCurrentRow().getAttribute("Quantity").toString());
  if (PartyId == VendorId) {
  Qty+= Quantity;
  //debugMessage.add(new OAException("Quantities: "+Quantity+" "+Qty));
  vo2.next();
  Qty*= Float.parseFloat(Rate.toString());
  Float totalQty = new Float(Qty);
  Cost = new Number(totalQty);
  }catch (Exception e) {}
  //debugMessage.add(new OAException("PartyId: "+PartyId+" VendorName: "+VendorName+" Cost: "+Cost+" EntryKey: "+entry.getKey()+" EntryValue: "+entry.getValue()));
  Row row = vo1.createRow();
  row.setAttribute("OrgId",OrgId);
  row.setAttribute("TransportationId",TransportationId);
  row.setAttribute("TransportationNum",TransportationNum);
  row.setAttribute("EventType",EventType);
  row.setAttribute("AccountingDate",AccountingDate);
  row.setAttribute("PeriodName",PeriodName);
  row.setAttribute("CodeCombinationId",CodeCombinationId);
  row.setAttribute("PartyId",PartyId);
  row.setAttribute("VendorName",VendorName);
  row.setAttribute("CurrencyCode",CurrencyCode);
  row.setAttribute("Amount",Cost);
  row.setAttribute("TransportationAmount",Amount);
  vo1.last();
  vo1.next();
  vo1.insertRow(row);
  row.setNewRowState(Row.STATUS_INITIALIZED);
  vo1.first();
  vo2.first();
  OAException.raiseBundledOAException(debugMessage);
  ===============================================================
  Here's the AM method executeCosts:
  ===============================================================
  /**Custom public method to execute the corresponding
  * transportation transactional cost allocations
  * and the distributive charges on the vendor accounts
  public void executeCosts(String StrOrgId,String StrTransportationId) {
  OAViewObject vo = (OAViewObject)getAmritTransportationPaymentsVO1();
  Number TransportationId = null;
  try { TransportationId = new Number(StrTransportationId); }catch (Exception e) {}
  if (!vo.isPreparedForExecution()) {
  if (TransportationId != null) {
  vo.setNamedWhereClauseParam("ReferredTransportationId",TransportationId);
  vo.executeQuery();
  ===============================================================
  Plz mention if something else is also required.
  Regards
  Ari :)

• Can't create Exchange users in a new child domain

  Hi,
  i have an Exchange 2010 SP3 ( 1 CAS/Hub + 1 mailbox) server running in a parent domain. Few days ago i've created a new child domain, but i can't create mailbox for users coming from this new child domain.
  The error message says that i don't have enough rights to do this operation (can't copy the error, translation from frecnh will be a disaster :p )
  That's what i get :
  Réponse d'Active Directory : 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
  I'm doing this with my parent domain administrator.
  I've read that the exchange infra had to be prepared for all domains with command
  setup.com /PrepareAllDomains
  is it possible with an existing exchange?
  Thanks for your replies

  Yes, you need to prepare any domain that will have mail-enabled accounts in it.
  You can run this for a specific domain:
  setup /PrepareDomain:<FQDN of domain you want to prepare> to prepare a specific domain.
  Its safe to run this in an existing Exchange org.
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Graphs and parent-child with loops and duplicates

  There is a parent-child relation in the table t(prnt, chld) which allows duplicates (A->B, A->B) and opposite paths (A->B, B->A), and complicated loops. Is there a way to identify rows that form any separate "connections network" and assign a "name" to them of any kind (letter, number, wahtever)? I try to use WITH recursive clause to identify and group rows belonging to one graph but with no luck. Any help would be appreciated.
  thank you

  Frank, I posted inputs for all graphs (multiple inserts) and some allowable outputs for one graph. For all cases (ie. graphs) the rule is the same:
  1. identify all nodes belonging to a graph
  2. "name" that graph (min, max or whatever you like)
  3. print the output in the form (node_belonging_to_a_graph, name_of_the_graph) for all identified graphs
  And as you said, I am somewhat flexible. I don't want to constrain the problem with saying min, max because it's not important how you name it, but the way which is somehow natural and fits with requirements is the usage of nodes' values.
  You ask me if (1,1),(2,1),(3,1) is also OK as an output for sample graph (1,2)+(2,3). Yes it is. It is one of those I posted but with additional node which is chosen as a name for a graph. But as you can guess it doesn't matter which node you choose, and the additional information about a node named with its own name is not as important and the information that all other nodes are named with that name but it is 100% acceptable. If you changed the naming convention and started to use letters instead of node values then yes, it would be a must to have the output in the form (1,a),(2,a),(3,a).
  You also ask me about the result for 90x data inserted as 5 rows: (901,902)..(906,904) and present sample result:
  901 902
  905 902
  906 902
  And the answer is no, it is not good result. It misses the information about the nodes 904 and 903 which belong to this graph too. The correct result could be:
  901 902
  905 902
  906 902
  903 902
  904 902
  or any other "combination" which presents 5 nodes with the name of the sixth (in this case of 6-node graph). Just one have to be picked, it doesn't matter which one. The "vertical" order is also irrelevant.
  As you can see there is a lot of room that gives acceptable result. I don't want to constraint it because it can influence performance which is important when dealing with graph structures in relational databases (RDBMS are not predestined to easily cope with that sort of information). It can also influence the chosen algorithm and I'd like to pick the fastest one which gives acceptable result.
  Two numbers x and y are in the same group (graph) if (and only if) at least one of the following is true:
  (1) they appear on the same row together (it doesn't matter which number is in which of the 2 columns), or
  --(2) x appears on the same row with a third number, z, and z is in the same group as y--
  (2) there are other edges (entries) in the table that form a "path" from x to y. And because the direction of the path is not important for the problem (ie. the parent-child table structure can be forgotten for a moment), the path means "there exists connection" between x and y aka "you can walk from x to y".
  The output consists of 2 columns: id (which is unique in the result set) and grp (which identifies the group) *[correct]*
  The id column will always be one of the numbers in the group *[correct]*
  It doesn't matter what the grp column is, or even what data type, as long as it distinguishes between the different groups. *[correct, but as you noted using one, picked number from a graph is the prefferable way]*
  If there are N distinct numbers in the group, I need N rows of output for that group, with id showing all those distinct numbers. *[correct, but if you choose your naming convention as naming a graph with the value of the node belonging to it you can ommit the node which is named for itself (but it doesn't hurt is such row appear in the result)]*
  You ask me if the graph is directed. No it's not. Your example (x,y) and (y,x) is great, and it can be concluded from my first post when I say that "opposite paths" (A->B, B->A) exists. What matters is the connection between the nodes. The parent-child table somehow imposes that direction is important, but for this problem it is not.
  One of the motivations for my post is to know what other people think without affecting their minds with my approach. I don't want to skew anybody's mind into my solution which works, but it's not effective. I don't mind showing it but I kindly ask you to think about the problem before I post it. Diversity of approaches helps to distill the best one.
  As I said I did it with the usage of sys_connect_by_path. If it doesn't appear to you as possible usage then it is likely that I don't use it efficiently. Please understand, I will post it if you ask me one more time but if you can live for a while without my inefficient solution and suggest something with WITH clause I would appreciate it.
  There is no exact result I expect. There are many results which are correct and acceptable. They all must follow the rules described at the beginning.
  Thank you
  Edited by: 943276 on Jun 28, 2012 1:32 AM

• Puzzled - parent domain user as administrator in child domain cannot add printer

  I've got a bare domain at the forest with 3 users and several "child" domains.  I'm trying to set it up so that the user (let's call it EA-Service) in the forest can do administrative work in each of the sub domains without having to log on to the various
  domains as each domain's domain administrator.  There are a handful of these domains at this time, but as we pick up more accounts (think hosting), we expect the number of domains to reach the hundreds.  I don't want hundreds of domain accounts
  to track.
  I thought adding EA-Service to a forest group called EA-Universal and adding EA-Universal to Builtin\Administrators on each of the domain controllers would give me administrator access on each of the domains.
  I spent a frustrating two days trying to add an internet printer's driver using EA-Service on one of the child domains and it kept failing (message wasn't clear).  Today I said, What the Heck, logon with my domain admin account on the child domain and
  try.  It worked.  I dropped the printer and then logged out and back in with my EA-Service account and I couldn't do it.  Clearly Builtin\Administrator isn't everything on a DC.
  What right, privilege, or piece of arcane magic did the domain administrator account have that the EA-Service account did not?  And how can I give that special whatever-it-might-be to my EA-Service account?
  How can I determine exactly what rights & privileges a particular userid on a machine has?  I could then compare the two sets of rights and see what was different.
  I really need to have a super-duper-administrator account to do various maintenance tasks and I don't want to have to use each domain's Admin account to do it. 
  Can y'all help me?
  -g

  I had an entire post built that took me all day with interruptions and poof, it's gone.  Rats.  Here is my second attempt:
  Assign permission on the resource using DL group.
  This last one is the one I'm having trouble with.
  I have to admint that I'm feeling very stupid about this whole thing.  Everyone seems to understand it completely.  I have read many posts and believe I understand them, but I'm not getting something as I've certainly not got it to work.
  I have seen some excellent writeup by Ace, Awinish, Meinolf that have really helped me understand the RBAC/AGUDLP/IGDLA.  This
  post by Ace Fekay is one such example among others.  I have read about the different group types and scopes.  I have read about rights, privileges and permissions.  I believe I understand them.  I've worked in security since IBM's
  RACF which is also RBAC.
  The problem is just what permissions need to be given to DA-DomainLocal (the group to which EA-Service, the forest user, ultimately belongs) so that its members have the same abilities as DA-Service (a domain administrator account on a child domain)?
  Clearly adding to Administrators on the child AD is insufficient as the EA-Service ID was directly added to it and it could not add a printer while DA-Service could.  EA-Service is also a member of the Enterprise Admins group on the parent/forest domain.
  What other permissions/rights/privileges does the DA-DomainLocal group (or directly, the EA-Service ID) still lack?  What are the differences between the access tokens/descriptors of EA-Service and DA-Service?  And how do I find out? 
  I believe I've seen some tool that showed them, but I can't seem to find it now that I'm looking.
  I listed the NTFS permissions (via AccessEnum from SysInternals) for the entire C drive and note that Administrators is on most of them and not once did I see something like Domain Admins appear and I saw nothing to do with printers at all.  The list
  was very long so I could have missed it if it was there.  I also used the same tool to look at the HKLM hive, but that was too large to browse through.
  I have set up the group structure exactly as Awinish suggested and remain stuck at the last piece.  If it was some specific resource I'd have no problem, I could add it, give it permissions/rights/privileges as needful.  The problem remains is
  that I don't know what those permissions/rights/privileges are nor how to discover a definitive list (I've seen some generic lists, but they don't list the exact names of the right/privileges).
  I'm sure I'm just being dumb.
  How do I go about discovering what permissions/rights/privileges that DA-Service has that EA-Service (via the DA-DomainLocal group) needs?
  I thank all of you for helping me.  I appreciate the time you are taking.
  -g

• User Migration from Parent Domain to Child Domain..The user is enabled with Exchange 2010 Mailbox in Parent Domain

  We currently have a single Windows 2008 R2 Active Directory domain controller, and an Exchange 2010 server. We are in the process of adding a child domain on a second Active Directory server for an offsite office location for a subdivision of our company.
  The two locations will be connected via VPN.
  Currently users exist on the root domain with Exchange accounts who will be moving to the new offsite company/location. We would like to be able to move these user accounts to the child domain while maintaining their existing Exchange mailboxes and
  email addresses. Is this possible, and if so how would we do it?

  Hi Srinivasa,
  According to your description, I think you have done all the preparation.
  For DL migration, the following article may give your some hints:
  How to Migrate Distribution Groups Across a Forest
  Good Luck!
  Niko Cheng
  TechNet Community Support

• How to allow Sharepoint users to login from multiple parent-child accounts?

  Our client has mutliple AD domains and wants to allow people which have multiple AD accounts in multiple domains to login as THE SAME user:
  - only primary account will be visible in search
  - there will be only one user profile with all informations gathered from all sub accounts
  - permissions for the sub account will be in sync with parent account
  - task generated for parent will be visible for child accouns too etc
  - ad admin can link the account together in the Active Directory - this link is permament (even if we move users to another OU) and ad admin can define which account is primary and secondary (parent/child)
  How we can implement this in Sharepoint 2010 Std Server?

  Everything in SharePoint keys of the Security Identifier (SID) of a user.  Each user in a domain has a unique SID, so there is no way to have multiple users recognized in SharePoint as the same user.
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• Simulate 1-N relationship as N-N by using Parent-Child structure

  Hi,
  i have a 1-N relationship between SKILL and USER tables meaning 1 skill can be applied to several users. A skill can have a parent skill meaning that a ParentSkill inherits all privileges of it's child.
  I would like to simulate a N-N relationship between users and skills by building a view which goes through the parent-child relationship... Can this be accomplished by building a view?
  Current structure:
  |USERID | USERNAME | SKILLID  |
  +-------+----------+----------+
  |   1   |  Jack    |      1   |
  |   2   |  Simon   |      1   |
  |   3   |  Fred    |      3   |
  +-------+----------+----------+
  |SKILLID | DESCRIPTION   | PARENTSKILL  |
  +--------+---------------+--------------+
  |   1    |  Mechanic     |      2       |
  |   2    |  Inspector    |      3       |
  |   3    |  Supervisor   |      null    |
  +--------+---------------+--------------+Preferred output (ordering of skillid is not important):
  |USERID | USERNAME | SKILLID  |
  +-------+----------+----------+
  |   1   |  Jack    |      1   |
  |   2   |  Simon   |      1   |
  |   3   |  Fred    |      3   |
  |   3   |  Fred    |      2   |
  |   3   |  Fred    |      1   |
  +-------+----------+----------+

  Hopefully this meets your needs:
  WITH
  users as
      SELECT 1 as USERID, 'Jack' as USERNAME, 1 as SKILLID FROM DUAL UNION ALL
      SELECT 2 as USERID, 'Simon' as USERNAME, 1 as SKILLID FROM DUAL UNION ALL
      SELECT 3 as USERID, 'Fred' as USERNAME, 3 as SKILLID FROM DUAL
  skills as
      SELECT SKILLID,CONNECT_BY_ROOT SKILLID AS ANCESTORS
      FROM
              SELECT 1 as SKILLID, 'Mechanic' as DESCRIPTION, 2 as PARENTSKILL FROM DUAL UNION ALL
              SELECT 2, 'Inspector', 3 FROM DUAL UNION ALL
              SELECT 3, 'Supervisor', NULL FROM DUAL
      CONNECT BY PRIOR PARENTSKILL = SKILLID
  SELECT USERID,USERNAME,ANCESTORS
  FROM skills, users
  WHERE users.skillid = skills.skillid
      USERID USERN  ANCESTORS
           1 Jack           1
           2 Simon          1
           3 Fred           3
           3 Fred           2
           3 Fred           1Hope this helps!

• Added existing domain to the parent domain and now permission not inheriting on the child domain

  Hi Friends
  There was a existing Domain but we bought the company and make that Domain as a child domain of our Domain, problem is that users of Parent domain does not have access to the child domain. permissions are not inheriting from parent domain to child domain. 
  for e.g i created user on the parent domain i cant even login to the machine in other domain or access the resources which are on the child domain.

  Simply delegate the permissions you want to grant so that users from the root domain can have access to resources in the child domain.
  As an example, you make users from the parent domain login to computers from the child domain using
  Allow logon locally group policy: http://technet.microsoft.com/en-us/library/cc756809%28v=ws.10%29.aspx
  You can also make them able to RDP the computers if you add them to Remote Desktop Users
  group. This could be done by Restricted Groups Group Policy.
  So, for security reasons and depending on your current configuration, it is normal that users from the root domain might not have by default access to resources in the child domain. This could be fixed by doing the proper delegation.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Prevent Active Directory Parent Domain Admins from accessing Child Domain

  We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
  Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
  Thanks in advance for input and advice!
  Best regards.

  Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
  parent.parentdomain.com
  child1.parentdomain.com
  child2.parentdomain.com
  child3.parentdomain.com
  We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
  1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
  2.) Promote a Child.parentdomain.com user to Enterprise Admin?
  Thanks sorry for the confusion.
  Ah ok.
  Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
  enterprise admins group. that way they are still only admins in the parent domain.
  It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
  based on the group membership you can also deny them the ability to log on.
  the only thing you cannot prevent is the forest administrator account from doing something.
  One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in.