Solved

LDAP does not enumerate all members of a AD group

Posted on 2003-11-12
5
214 Views
Last Modified: 2010-04-13
We are running Windows 2000, Active Directory in native mode.  We upgraded our existing NT 4 domain and migrated all the user accounts and groups (there are no more NT 4 Domain Controllers).

When I use the "Active Directory Users and Computers" snap-in to view a particular group on the Domain, I see 54 members.  However, when I use Linux "ldapsearch" or even a VBS script using LDAP, I only see 27 members.

However, when I use some of my old perl scripts I used on our old NT 4 Domain and query the same group, I see all 54 members.  I have searched Microsoft's KB site and the web but can not find anything that explains this discrepancy.

I would like to use VBS and LDAP to administer my AD but if it is not consistent, I'm going to have problems.
0
Comment
Question by:rotaiv
  • 2
5 Comments
 
LVL 3

Expert Comment

by:Gunsen
ID: 9730996
Inspect the each member using a ldap browser, and check attributes:  objectClass and objectCategory to see if they differ for any member?
0
 

Author Comment

by:rotaiv
ID: 9731341
I checked and both attributes are the same.  The only difference between the two users is the "Group Membership" - which is the whole problem.  All of the other attributes appear to be the same except for personal information obviously.
0
 

Accepted Solution

by:
rotaiv earned 0 total points
ID: 10042642
I have found the answer.  The inconsistency was due to the "Primary Group" value of specific members.  When you use "Active Directory Users and Computers" snap-in to view a particular group, it will show all "members" of that group AND all users who have that particular group set as their "Primary Group".  However, when you use LDAP, it will ONLY show members of that group and NOT users who have that group as their "Primary Group".

In conclusion, I had 27 users whose primary group was NOT "Domain Users" (which is the default).  I wrote a VBS script that changed the "Primary Group" for all users in the domain to "Domain Users" and that fixed my problem.  It would appear that my old perl scripts working in NT 4 compatibility mode also listed users via the "Primary Group" the same as the Active Directory snap-in.

For what it is worth, we discovered the solution when we tried to remove the unwanted users from the group.  We got the error message indicating we could not do that because it was their primary group.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now