[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Getting the list of members in an AD group

To: Harry Jede <harry.jede@arcor.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: Getting the list of members in an AD group
From: Jon C Kidder <jckidder@aep.com>
Date: Fri, 11 Apr 2014 15:47:46 +0000
Accept-language: en-US
Cc: Sankar P <sankar.curiosity@gmail.com>, Mark PrÃhl <mark@mproehl.net>
Content-language: en-US
In-reply-to: <201404111716.06694.harry.jede@arcor.de>
References: <CAMSEaH5WjPcQSP=N018iPze+EE4b-VMAiLsX92fxFk7Agr6-rg@mail.gmail.com> <CAMSEaH5BwOyAA260Y3LLwHyupbTW-6hVwa10turwgbmZNoAJUQ@mail.gmail.com> <CAMSEaH5JMiEMrGD2Z3ihNJNJKUEHa4T7tN=eh+Oy-q9XncU7XQ@mail.gmail.com> <201404111716.06694.harry.jede@arcor.de>
Thread-index: AQHPUidF/HG6jcfHPkuQ9MNgS78GkJsGcM6AgAAn6YCAA/szgIAAG3yAgABEswCAAUN/AIAAmRIA///CMbA=
Thread-topic: Getting the list of members in an AD group

Domain Users is not necessarily a primary group.  Any group can be the primary group for a user.  Primary group membership is stored as an attribute of the user and is not reflected in the member collection for a group or the memberOf collection for the user. Primary groups are a Windows NT "feature" that was carried forward in to AD in order to support hybrid NT/AD domains. You must take this into account when querying AD group memberships.

-Jon C. Kidder
American Electric Power
Middleware Services
Email: jckidder@aep.com
Phone: 614-716-4970

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Harry Jede
Sent: Friday, April 11, 2014 11:16 AM
To: openldap-technical@openldap.org
Cc: Sankar P; Mark PrÃhl
Subject: Re: Getting the list of members in an AD group

 This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments.

**********************************************************************
Sankar P wrote:
> The group whose SID that I am trying to take is the default "Domain 
> Users" group. The ldapsearch query too fails for that but for any 
> other custom groups, the membership information is printed. So is 
> there a different style that we should follow for getting the "Domain 
> Users" group members ?
Yes.

"Domain Users" is a primary group, membership is stored in the user object.

-- 

Harry Jede

Follow-Ups:
- Re: Getting the list of members in an AD group
  - From: joe <joe@joeware.net>

References:
- Getting the list of members in an AD group
  - From: Sankar P <sankar.curiosity@gmail.com>
- Re: Getting the list of members in an AD group
  - From: Sankar P <sankar.curiosity@gmail.com>
- Re: Getting the list of members in an AD group
  - From: Sankar P <sankar.curiosity@gmail.com>
- Re: Getting the list of members in an AD group
  - From: Harry Jede <harry.jede@arcor.de>

Prev by Date: Re: Getting the list of members in an AD group
Next by Date: Re: Getting the list of members in an AD group
Index(es):
- Chronological
- Thread