InstantForum.NET v2.9.0SQLServerCentralhttp://www.sqlservercentral.com/Forums/notifications@sqlservercentral.comFri, 24 May 2013 13:41:20 GMT20http://www.sqlservercentral.com/Forums/Topic1382171-391-1.aspxJust an update, our domains are configured liked so: ForestA ForestB | | DomainB DomainC | DomainA (child domain)Wed, 14 Nov 2012 07:53:54 GMTtafountainhttp://www.sqlservercentral.com/Forums/Topic1382171-391-1.aspxIs this perhaps a tough one? lol - any thoughts anyone?Thu, 08 Nov 2012 07:15:17 GMTtafountainhttp://www.sqlservercentral.com/Forums/Topic1382171-391-1.aspxI have one user that is receiving this error on 5 instances out of the 8 they have access to. Let me outline our scenario:[ul][li]There are 3 [b]trusted[/b] domains involved in our network. I'll refer to them as [b]DomainA[/b], [b]DomainB[/b], and [b]DomainC[/b][/li][li]All users are granted access and permissions through a domain group that resides on [b]DomainA[/b]. I'll refer to this user as [b]DomainA\DevGroup[/b][/li][li]The account for the user in question resides on [b]DomainB[/b]. I'll refer to this account as [b]DomainB\DevUserA[/b][/li][li]The 3 instances the user [b]can[/b] access reside on either [b]DomainA[/b] (the domain the group resides) or [b]DomainB[/b] (the domain the user account resides)[/li][li]The 5 instances the user [b]cannot[/b] access reside on [b]DomainC[/b][/li][/ul]Now here is an oddity, there are about 15 other developers in this same group that can access all 8 servers just fine. We've ran our security with this setup for 8-10 years so nothing with that has changed on that front. This is a new employee in a different geographic location but serves the same role as the other 15 developers.When I execute xp_logininfo to see what groups this user belongs to I get the results below. Note these results are consistent across all 8 servers:[code="sql"]exec xp_logininfo @acctname='DomainB\DevUserA', @option='all';[/code]Results:[code="other"]account name type privilege mapped login name permission pathDomainB\DevUserA user user DomainB\DevUserA DomainA\DevGroup[/code]Now if I run xp_logininfo to get the members of all the groups I get mixed results (but their consistent per domain if that makes sense):[code="sql"]exec xp_logininfo @acctname='DomainA\DevGroup', @option='members';[/code]Results:[ul][li]When ran on any instance in [b]DomainA[/b] the results yield all of the other 15 users[/li][li]When ran on any instance in [b]DomainB[/b] the results yield only this 1 user[/li][li]When ran on any instance in [b]DomainC[/b] the results yield all of the other 15 users[/li][/ul]Any thoughts on this one? At first glance this appears to me there is some sort of issue with [b]DomainC[/b] authenicating accounts on [b]DomainB[/b], perhaps due to some sort of double-hop issue going through [b]DomainA[/b].Thanks in advance and sorry for the long winded post. I just wanted to make sure I provided all the facts and troubleshooting I've done so far.Wed, 07 Nov 2012 14:10:17 GMTtafountain