Solved

LDAP does not enumerate all members of a AD group

Posted on 2003-11-12
5
210 Views
Last Modified: 2010-04-13
We are running Windows 2000, Active Directory in native mode.  We upgraded our existing NT 4 domain and migrated all the user accounts and groups (there are no more NT 4 Domain Controllers).

When I use the "Active Directory Users and Computers" snap-in to view a particular group on the Domain, I see 54 members.  However, when I use Linux "ldapsearch" or even a VBS script using LDAP, I only see 27 members.

However, when I use some of my old perl scripts I used on our old NT 4 Domain and query the same group, I see all 54 members.  I have searched Microsoft's KB site and the web but can not find anything that explains this discrepancy.

I would like to use VBS and LDAP to administer my AD but if it is not consistent, I'm going to have problems.
0
Comment
Question by:rotaiv
  • 2
5 Comments
 
LVL 3

Expert Comment

by:Gunsen
ID: 9730996
Inspect the each member using a ldap browser, and check attributes:  objectClass and objectCategory to see if they differ for any member?
0
 

Author Comment

by:rotaiv
ID: 9731341
I checked and both attributes are the same.  The only difference between the two users is the "Group Membership" - which is the whole problem.  All of the other attributes appear to be the same except for personal information obviously.
0
 

Accepted Solution

by:
rotaiv earned 0 total points
ID: 10042642
I have found the answer.  The inconsistency was due to the "Primary Group" value of specific members.  When you use "Active Directory Users and Computers" snap-in to view a particular group, it will show all "members" of that group AND all users who have that particular group set as their "Primary Group".  However, when you use LDAP, it will ONLY show members of that group and NOT users who have that group as their "Primary Group".

In conclusion, I had 27 users whose primary group was NOT "Domain Users" (which is the default).  I wrote a VBS script that changed the "Primary Group" for all users in the domain to "Domain Users" and that fixed my problem.  It would appear that my old perl scripts working in NT 4 compatibility mode also listed users via the "Primary Group" the same as the Active Directory snap-in.

For what it is worth, we discovered the solution when we tried to remove the unwanted users from the group.  We got the error message indicating we could not do that because it was their primary group.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now