Solved

LDAP does not enumerate all members of a AD group

Posted on 2003-11-12
5
220 Views
Last Modified: 2010-04-13
We are running Windows 2000, Active Directory in native mode.  We upgraded our existing NT 4 domain and migrated all the user accounts and groups (there are no more NT 4 Domain Controllers).

When I use the "Active Directory Users and Computers" snap-in to view a particular group on the Domain, I see 54 members.  However, when I use Linux "ldapsearch" or even a VBS script using LDAP, I only see 27 members.

However, when I use some of my old perl scripts I used on our old NT 4 Domain and query the same group, I see all 54 members.  I have searched Microsoft's KB site and the web but can not find anything that explains this discrepancy.

I would like to use VBS and LDAP to administer my AD but if it is not consistent, I'm going to have problems.
0
Comment
Question by:rotaiv
  • 2
5 Comments
 
LVL 3

Expert Comment

by:Gunsen
ID: 9730996
Inspect the each member using a ldap browser, and check attributes:  objectClass and objectCategory to see if they differ for any member?
0
 

Author Comment

by:rotaiv
ID: 9731341
I checked and both attributes are the same.  The only difference between the two users is the "Group Membership" - which is the whole problem.  All of the other attributes appear to be the same except for personal information obviously.
0
 

Accepted Solution

by:
rotaiv earned 0 total points
ID: 10042642
I have found the answer.  The inconsistency was due to the "Primary Group" value of specific members.  When you use "Active Directory Users and Computers" snap-in to view a particular group, it will show all "members" of that group AND all users who have that particular group set as their "Primary Group".  However, when you use LDAP, it will ONLY show members of that group and NOT users who have that group as their "Primary Group".

In conclusion, I had 27 users whose primary group was NOT "Domain Users" (which is the default).  I wrote a VBS script that changed the "Primary Group" for all users in the domain to "Domain Users" and that fixed my problem.  It would appear that my old perl scripts working in NT 4 compatibility mode also listed users via the "Primary Group" the same as the Active Directory snap-in.

For what it is worth, we discovered the solution when we tried to remove the unwanted users from the group.  We got the error message indicating we could not do that because it was their primary group.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
no desktop when login to windows server 2000 7 333
auto copy 8 617
Cannot raise Forest Functional Level - Administrative Limit Exceeded 8 1,899
Windows 2000 undelete (free program?) 6 435
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question