Solved

LDAP does not enumerate all members of a AD group

Posted on 2003-11-12
5
222 Views
Last Modified: 2010-04-13
We are running Windows 2000, Active Directory in native mode.  We upgraded our existing NT 4 domain and migrated all the user accounts and groups (there are no more NT 4 Domain Controllers).

When I use the "Active Directory Users and Computers" snap-in to view a particular group on the Domain, I see 54 members.  However, when I use Linux "ldapsearch" or even a VBS script using LDAP, I only see 27 members.

However, when I use some of my old perl scripts I used on our old NT 4 Domain and query the same group, I see all 54 members.  I have searched Microsoft's KB site and the web but can not find anything that explains this discrepancy.

I would like to use VBS and LDAP to administer my AD but if it is not consistent, I'm going to have problems.
0
Comment
Question by:rotaiv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 3

Expert Comment

by:Gunsen
ID: 9730996
Inspect the each member using a ldap browser, and check attributes:  objectClass and objectCategory to see if they differ for any member?
0
 

Author Comment

by:rotaiv
ID: 9731341
I checked and both attributes are the same.  The only difference between the two users is the "Group Membership" - which is the whole problem.  All of the other attributes appear to be the same except for personal information obviously.
0
 

Accepted Solution

by:
rotaiv earned 0 total points
ID: 10042642
I have found the answer.  The inconsistency was due to the "Primary Group" value of specific members.  When you use "Active Directory Users and Computers" snap-in to view a particular group, it will show all "members" of that group AND all users who have that particular group set as their "Primary Group".  However, when you use LDAP, it will ONLY show members of that group and NOT users who have that group as their "Primary Group".

In conclusion, I had 27 users whose primary group was NOT "Domain Users" (which is the default).  I wrote a VBS script that changed the "Primary Group" for all users in the domain to "Domain Users" and that fixed my problem.  It would appear that my old perl scripts working in NT 4 compatibility mode also listed users via the "Primary Group" the same as the Active Directory snap-in.

For what it is worth, we discovered the solution when we tried to remove the unwanted users from the group.  We got the error message indicating we could not do that because it was their primary group.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question