retrieving group members/membership from active directory when members attrib doesn't work

0
votes

I am trying to get all group members from "Domain Users". When using AD Users MMC tab, I get a lot of results. When using ADSI - not. The following DOESN'T work as expected:

  • looking at members attribute of the group entry via LDAP/ADSI. It returns only 56 members when there are considerably more.
  • searching by memberOf (returns just a few entries)
  • searching by primaryGroup (it is not a primary group)
  • searching by tokenGrops (it is a constructed attribute)

any ideas appreciated.

1
active-directoryadsi
Perhaps you could post your code so that we can see what you're doing.Brian Desmond
Are you sure your users' primary group are not Domain Users? Normally, this is the case unless you change it deliberately. Also note that the primaryGroupToken for Domain Users is 513. So, doing this LDAP query should give you all the users with primary group set to Domain Users (&(objectCategory=person)(objectClass=user)(primaryGroupID=513))Harvey Kwok
So, the objectSID for Domain Users is "1234567890-513" and primaryGroup for a user which I know belongs to it according ADUC is "513". The control user which does not belong to Domain Users according to ADUC is 123940. Values of primaryGroup were retrieved by ADSIedit. Does that mean that in Domain case - RID 513 is SID "1234567890-513"?Konrads

1 Answers

2
votes

(I just read more carefully and saw that you mentioend it's not primary group...but I'm suspicious this is the answer anyway :))

There is another mechanism by which a user can be a member of a group, and it's controlled by the primaryGroupID attribute of the user in the group.

If the primaryGroupID of a user is set to some RID of a group, the user is functionally in the group, even though they don't show up in the member attribute of the group. Tools like ADUC are wise enough to look for this. When you step a bit lower in the stack and hit the directory over LDAP, it is up to you to be smart enough to go hunting for it.

You can either do searches for this or use constructed attributes in the directory that take this in to account.