LDAP does not enumerate all members of a AD group

We are running Windows 2000, Active Directory in native mode.  We upgraded our existing NT 4 domain and migrated all the user accounts and groups (there are no more NT 4 Domain Controllers).

When I use the "Active Directory Users and Computers" snap-in to view a particular group on the Domain, I see 54 members.  However, when I use Linux "ldapsearch" or even a VBS script using LDAP, I only see 27 members.

However, when I use some of my old perl scripts I used on our old NT 4 Domain and query the same group, I see all 54 members.  I have searched Microsoft's KB site and the web but can not find anything that explains this discrepancy.

I would like to use VBS and LDAP to administer my AD but if it is not consistent, I'm going to have problems.
rotaivAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GunsenCommented:
Inspect the each member using a ldap browser, and check attributes:  objectClass and objectCategory to see if they differ for any member?
0
rotaivAuthor Commented:
I checked and both attributes are the same.  The only difference between the two users is the "Group Membership" - which is the whole problem.  All of the other attributes appear to be the same except for personal information obviously.
0
rotaivAuthor Commented:
I have found the answer.  The inconsistency was due to the "Primary Group" value of specific members.  When you use "Active Directory Users and Computers" snap-in to view a particular group, it will show all "members" of that group AND all users who have that particular group set as their "Primary Group".  However, when you use LDAP, it will ONLY show members of that group and NOT users who have that group as their "Primary Group".

In conclusion, I had 27 users whose primary group was NOT "Domain Users" (which is the default).  I wrote a VBS script that changed the "Primary Group" for all users in the domain to "Domain Users" and that fixed my problem.  It would appear that my old perl scripts working in NT 4 compatibility mode also listed users via the "Primary Group" the same as the Active Directory snap-in.

For what it is worth, we discovered the solution when we tried to remove the unwanted users from the group.  We got the error message indicating we could not do that because it was their primary group.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.