Affects Version/s: PUP 3.7.4
Fix Version/s: None
Component/s: Types and Providers
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Trusted Active Directory Domains
If the same NT user name or group name exists in multiple trusted domains and a local group resource is defined with two identically-named accounts or groups as members, the local domain account will resolve properly and the remote (trusted) domain account will resolve incorrectly as the local domain account or group.
Example (double \ removed):
Despite defining a service account with the same name "serviceAcct" in "domainA" and "domainB", if the computer resides in "domainA", both user references will resolve to "domainA" by the Puppet agent.
If attempting to use SID to reference user accounts to ensure uniqueness, the resource is properly set by the Puppet agent, but it will continue to unnecessarily 'change' the resource on each Puppet agent run, as the "domainB" user account is continually resolved incorrectly in "domainA".
Because of this behavior it is impossible to manage user accounts or groups in trusted domains that have the same name. The user account or group that resides in the local domain will always take precedence.