Active Directory memberOf User Attribute not showing "Domain Admin" group

Posted on 2006-03-20
Last Modified: 2008-02-26
I'm running an Active Directory on Windows 2003 Server (in Windows 2000 mode since that's the version it was last upgraded from).  Using the "Active Directory Users and Computers" MMC snap-in I can see that my user is a member of five groups, including Domain Admins.

When I use ADSI Edit to view my user, the memberOf attribute only includes four entries, and is missing Domain Admins.

Does anyone know why this is or how to fix it?
Question by:bevco7
    LVL 70

    Expert Comment

    by:Chris Dent

    Is Domain Admins the Primary Group for the account? If so, the Primary Group isn't listed in the MemberOf Attribute. Helpful isn't it?

    Anyway, it's possible to retrieve the Primary Group Membership, each group has an attribute called Primary Group Token, this is assigned to an attribute in the User Account called primaryGroupID.

    Fortunately the most common Primary Groups have known IDs (that is, they don't change from domain to domain), so you can check that (example is all VbScript). i.e.

    Set objADSystemInfo = CreateObject("ADSystemInfo")
    strUserDN = objADSystemInfo.UserName
    Set objUser = GetObject("LDAP://" & strUserDN)

    intPrimaryGroupID = objUser.Get("primaryGroupID")
    If intPrimaryGroupID = 512 Then
          WScript.Echo "User is a member of Domain Admins"
    ElseIf intPrimaryGroupID = 513 Then
          WScript.Echo "User is a member of Domain Users"
    End If

    There are more Primary Group IDs, every single group in AD has one of them, but unless you really need it I won't post anything that shows how you can find the membership regardless of primary group.



    Author Comment

    Hi Chris,

    Thanks for the response.  Unfortunately I don't have the first idea about VBScript, and the application (Confluence Wiki, using the "memberOf" attribute is written in Java.  It might be specific to the program, but is there a way to supply an attribute as "memberOf + text version of primaryGroup"?


    LVL 70

    Accepted Solution


    I'm afraid we won't be able to add extra attributes into the directory to create a true group list.

    You may find the easiest solution is just to change the Primary Group (the default is Domain Users and there's no real need for it to be anything else). If you do that then the current primary group will be available in the memberOf Attribute as normal.

    Alternatively, can you base whatever Confluence is using around a different group?


    Author Comment

    Looks like that's what I'll have to do.  I'll create AD Confluence Users and Confluence Admins groups and then add Domain Users and Domain Admins to these groups.  It's highly unlikely that anyone will end up with these as their primary groups.

    Thanks for your help,


    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now