When trying to bring a User account from another domain to assign it to a Security Role on the SMP Console, the User account was created under SMP Console>Settings>Security>Account Management>Accounts>Add. The problem is that it only allows entering users from the Main domain. When trying to associate the Windows account with the newly created one the following error is received:

"The specified User is invalid"

The trust relationship configuration has correctly been made between all the domains that are managed on this SMP server.

ITMS 8.5, 8.6, 8.7

It is necessary to bring the account reference from AD.

Users imported by a “User” AD Import rule should not be mistaken for accounts that get created in the SMP Console manually and associated with a “Windows” user. An imported user and a created user account could theoretically have the same name. The user account in the SMP Console will maintain its association with the Windows account unless the user is removed from AD.

A “Role and Account AD Import rule” is needed to import security groups and their membership as roles and accounts into the database. A ”Role and Account” rule will create roles for each imported security group and its membership as “Accounts”.  These “Accounts” are also included in the role’s membership.

The AD Import process supports creating Role and Account resources based on Groups and Users in Microsoft Active Directory.

Role resources are created for each Group imported from AD, and Account and Windows Credential resources are created for each User imported from AD. Also, the memberships of the group in AD are also imported.

In order to bring the User account reference from the other domain, you will need to import domain groups and users from Active Directory:

1. In the Symantec Management Console, on the Actions menu, click Discover > Import Microsoft Active Directory.
2. On the Microsoft Active Directory Import page, in the description that is labeled "Import Role and Account resources from <data source>, from (none). Perform this import on the specified schedule", click the user group (none).
3. In the Select Security Groups dialog box, search for the domain groups that you want to add; for example, Administrators and Users.
4. Click Add to add the selected groups, and then click OK.
5. Run the rule as a full import to import the selected domain group.
6. In the Symantec Management Console, on the Settings menu, click Security > Account Management>Accounts, you should see those imported accounts from the other domain.
7. After the account is present, assign the Security role as needed under the "Member of" tab.

Active Directory Import FAQ