Name Collision When Managing Users or Groups in Trusted Domains

If the same NT user name or group name exists in multiple trusted domains and a local group resource is defined with two identically-named accounts or groups as members, the local domain account will resolve properly and the remote (trusted) domain account will resolve incorrectly as the local domain account or group.

Example (double \ removed):

	group { 'Administrators':

			ensure => 'present',

			members => [

				"${$::hostname}\Administrator",

				"domainA\Domain Admins",

				"domainA\serviceAcct",

				"domainB\serviceAcct",

				],

		}

Despite defining a service account with the same name "serviceAcct" in "domainA" and "domainB", if the computer resides in "domainA", both user references will resolve to "domainA" by the Puppet agent.

If attempting to use SID to reference user accounts to ensure uniqueness, the resource is properly set by the Puppet agent, but it will continue to unnecessarily 'change' the resource on each Puppet agent run, as the "domainB" user account is continually resolved incorrectly in "domainA".

Example:

	group { 'Administrators':

			ensure => 'present',

			members => [

				"${$::hostname}\Administrator",

				"domainA\Domain Admins",

				"S-1-5-21-111111111-11111111-1111111111-1111", # SID for "domainA\serviceAcct"

				"S-1-5-21-222222222-22222222-2222222222-2222", # SID for "domainB\serviceAcct"

				],

			}

Log Result:

	members changed 'servername\Administrator,domainA\Domain Admins,domainA\serviceAcct,domainB\serviceAcct' to 'servername\Administrator,domainA\Domain Admins,domainA\serviceAcct,domainA\serviceAcct'

Because of this behavior it is impossible to manage user accounts or groups in trusted domains that have the same name. The user account or group that resides in the local domain will always take precedence.