Solved

Active Directory LDAP: Group membership incomplete

Posted on 2004-10-04
5
1,435 Views
Last Modified: 2013-12-03
Hello,

I have got a heavy problem with active-directory ldap access:

I try to find out which user is in wich group - or which users belong to each group.

The problem is, that in AD the "Domain Admin"-group has about 20 group members, but in LDAP-sight it has only 7 ??????

I tried [difde.exe -f export.ldf -r "(cn=Domain Admins)"] and got also 7 members.

In each way (even ADSI) there are only 7 members, but in reality and the "Active Directory Users & Computers" there are about 20 members.

One thought is, that it depends on this ActiveDirectory that was migrated (updated) from an Windows NT4-Domain. Perhaps the migrate failed for these users - I have not tried it with another domain yet.

Any thought getting that right ?

Thank you !
Sincerely, Caronas
0
Comment
Question by:caronas
  • 3
5 Comments
 
LVL 3

Author Comment

by:caronas
Comment Utility
p.s.: It is a Windows NT4-Domain updated with Windows 2003 Server Standard (Full Version)
0
 
LVL 8

Expert Comment

by:mxjijo
Comment Utility

caronas,
           You question sounds more like an admin related one.
May be you should try posting this qn in OS area. Here it is more programming stuff.

good luck.
0
 
LVL 3

Author Comment

by:caronas
Comment Utility
Hmm ... thats somewhat right, but ldap interface is used with programming only - administrators will not see that problem, because the AD User&Computer shows it all right.
0
 
LVL 3

Author Comment

by:caronas
Comment Utility
I used some diffent methods (e.g. VBS:

set group=GetObject("LDAP://cn=Domain Admins,cn=Users,dc=mydomain, dc=de")
group.GetInfo
for each member in group.GetEx("member")
    WScript.Echo member
next
)
0
 
LVL 4

Accepted Solution

by:
Milind00 earned 500 total points
Comment Utility
caronas,

The code you used is only returns the "member" property of the group. But, it is possible that the group can have members which are not listed in "memeber" property. This happes for "Primery Gourps".  For example - X user has primery group "Domain Admins", "X" user's primerygourp peroprty get set, not the member property of the group.

Users and Computers makes additional LDAP query to find members by looking at the primery groups of the users.

Hope this helps....

Milind
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

This tutorial is about how to put some of your C++ program's functionality into a standard DLL, and how to make working with the EXE and the DLL simple and seamless.   We'll be using Microsoft Visual Studio 2008 and we will cut out the noise; that i…
This article shows a few slightly more advanced techniques for Windows 7 gadget programming, including how to save and restore user settings for your gadget and how to populate the "details" panel that is displayed in the Windows 7 gadget gallery.  …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now