• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1077
  • Last Modified:

Active Directory memberOf User Attribute not showing "Domain Admin" group

I'm running an Active Directory on Windows 2003 Server (in Windows 2000 mode since that's the version it was last upgraded from).  Using the "Active Directory Users and Computers" MMC snap-in I can see that my user is a member of five groups, including Domain Admins.

When I use ADSI Edit to view my user, the memberOf attribute only includes four entries, and is missing Domain Admins.

Does anyone know why this is or how to fix it?
0
bevco7
Asked:
bevco7
  • 2
  • 2
1 Solution
 
Chris DentPowerShell DeveloperCommented:

Is Domain Admins the Primary Group for the account? If so, the Primary Group isn't listed in the MemberOf Attribute. Helpful isn't it?

Anyway, it's possible to retrieve the Primary Group Membership, each group has an attribute called Primary Group Token, this is assigned to an attribute in the User Account called primaryGroupID.

Fortunately the most common Primary Groups have known IDs (that is, they don't change from domain to domain), so you can check that (example is all VbScript). i.e.

Set objADSystemInfo = CreateObject("ADSystemInfo")
strUserDN = objADSystemInfo.UserName
Set objUser = GetObject("LDAP://" & strUserDN)

intPrimaryGroupID = objUser.Get("primaryGroupID")
If intPrimaryGroupID = 512 Then
      WScript.Echo "User is a member of Domain Admins"
ElseIf intPrimaryGroupID = 513 Then
      WScript.Echo "User is a member of Domain Users"
End If

There are more Primary Group IDs, every single group in AD has one of them, but unless you really need it I won't post anything that shows how you can find the membership regardless of primary group.

HTH

Chris
0
 
bevco7Author Commented:
Hi Chris,

Thanks for the response.  Unfortunately I don't have the first idea about VBScript, and the application (Confluence Wiki, www.atlassian.com) using the "memberOf" attribute is written in Java.  It might be specific to the program, but is there a way to supply an attribute as "memberOf + text version of primaryGroup"?

Thanks,

Sam
0
 
Chris DentPowerShell DeveloperCommented:

I'm afraid we won't be able to add extra attributes into the directory to create a true group list.

You may find the easiest solution is just to change the Primary Group (the default is Domain Users and there's no real need for it to be anything else). If you do that then the current primary group will be available in the memberOf Attribute as normal.

Alternatively, can you base whatever Confluence is using around a different group?

Chris
0
 
bevco7Author Commented:
Looks like that's what I'll have to do.  I'll create AD Confluence Users and Confluence Admins groups and then add Domain Users and Domain Admins to these groups.  It's highly unlikely that anyone will end up with these as their primary groups.

Thanks for your help,

Sam
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now