Hi All
Error
Cannot add AD users for one particular domain of a multidomain landscape.
Facing an issue with BI 4.0 creating AD users manually in BOE/CMC
Creation of the user otherdomain\username cannot complete because the user is not a member of any the mapped groups
Overview
We are running 3 domains for sanitation lets call them CORP (main company), FUN and GAMES the subsidiaries. Whilst not relevant for the manual ad authentication here is the details from krb5.ini ( we will be moving to SSO )
Configuration
In authentication I could add the member groups (basically Domain Users group fro FUN and GAMES) without issues, and these are recognized.
Oddly I can add AD users for Primary CORP (easy) and for the other domain FUN without errors 
Only domain GAMES fails with a CORP user (i tested with a few users).
SAP Notes
1735248 - BI 4.0: Unable to manually map AD users in 'User and Groups', even though mapped AD groups appear.http://service.sap.com/sap/support/notes/1735248 Says the following "Change the Administration Name to a suitable account, or grant more rights to the account used. Users will then be able to be mapped manually."
Fair enough; however at OS level the user corp\boqadm can see and view domain users in fun\<anyuser> and games\<anyuser> ( ie login to windows 2008 with boqadm I can view users and groups in GAMES and FUN domains, even add them to the local groups of the server)
TRACE
Tracing doesn't offer much help
Fail - AD configuration set to any user in CORP or FUN
With AD set to CORP domain cannot add GAMES domain users (as described above)
Pass - AD configuration is set to a GAMES domain
If I swing the user to a know user on domain GAMES then user can be found for all domains
Summary and Questions
The AD administrator says everything is fine so it is the fault is with the SAP Software (BI); - obviously a gap exists.
- Except for read access which I have proven works for my AD authentication user (corp/boqadm) across all domains, what other access/authorization could be required by boqadm for the GAMES domain?
- Has anyone see such a problem before, is the next step wireshark or other tracing tool?
- Or should I just be pragmatic and ask for a user GAMES\boqadm to be created which in my testing shows can see CORP and FUN domain users so that they can be added to BOE. ? A permanent workaround.