Solved

Active Directory LDAP: Group membership incomplete

Posted on 2004-10-04
5
1,436 Views
Last Modified: 2013-12-03
Hello,

I have got a heavy problem with active-directory ldap access:

I try to find out which user is in wich group - or which users belong to each group.

The problem is, that in AD the "Domain Admin"-group has about 20 group members, but in LDAP-sight it has only 7 ??????

I tried [difde.exe -f export.ldf -r "(cn=Domain Admins)"] and got also 7 members.

In each way (even ADSI) there are only 7 members, but in reality and the "Active Directory Users & Computers" there are about 20 members.

One thought is, that it depends on this ActiveDirectory that was migrated (updated) from an Windows NT4-Domain. Perhaps the migrate failed for these users - I have not tried it with another domain yet.

Any thought getting that right ?

Thank you !
Sincerely, Caronas
0
Comment
Question by:caronas
  • 3
5 Comments
 
LVL 3

Author Comment

by:caronas
ID: 12216969
p.s.: It is a Windows NT4-Domain updated with Windows 2003 Server Standard (Full Version)
0
 
LVL 8

Expert Comment

by:mxjijo
ID: 12218672

caronas,
           You question sounds more like an admin related one.
May be you should try posting this qn in OS area. Here it is more programming stuff.

good luck.
0
 
LVL 3

Author Comment

by:caronas
ID: 12218777
Hmm ... thats somewhat right, but ldap interface is used with programming only - administrators will not see that problem, because the AD User&Computer shows it all right.
0
 
LVL 3

Author Comment

by:caronas
ID: 12218811
I used some diffent methods (e.g. VBS:

set group=GetObject("LDAP://cn=Domain Admins,cn=Users,dc=mydomain, dc=de")
group.GetInfo
for each member in group.GetEx("member")
    WScript.Echo member
next
)
0
 
LVL 4

Accepted Solution

by:
Milind00 earned 500 total points
ID: 12224947
caronas,

The code you used is only returns the "member" property of the group. But, it is possible that the group can have members which are not listed in "memeber" property. This happes for "Primery Gourps".  For example - X user has primery group "Domain Admins", "X" user's primerygourp peroprty get set, not the member property of the group.

Users and Computers makes additional LDAP query to find members by looking at the primery groups of the users.

Hope this helps....

Milind
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have ever found yourself doing a repetitive action with the mouse and keyboard, and if you have even a little programming experience, there is a good chance that you can use a text editor to whip together a sort of macro to automate the proce…
What my article will show is if you ever had to do processing to a listbox without being able to just select all the items in it. My software Visual Studio 2008 crystal report v11 My issue was I wanted to add crystal report to a form and show…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now