Active Directory memberOf User Attribute not showing "Domain Admin" group

I'm running an Active Directory on Windows 2003 Server (in Windows 2000 mode since that's the version it was last upgraded from).  Using the "Active Directory Users and Computers" MMC snap-in I can see that my user is a member of five groups, including Domain Admins.

When I use ADSI Edit to view my user, the memberOf attribute only includes four entries, and is missing Domain Admins.

Does anyone know why this is or how to fix it?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

Is Domain Admins the Primary Group for the account? If so, the Primary Group isn't listed in the MemberOf Attribute. Helpful isn't it?

Anyway, it's possible to retrieve the Primary Group Membership, each group has an attribute called Primary Group Token, this is assigned to an attribute in the User Account called primaryGroupID.

Fortunately the most common Primary Groups have known IDs (that is, they don't change from domain to domain), so you can check that (example is all VbScript). i.e.

Set objADSystemInfo = CreateObject("ADSystemInfo")
strUserDN = objADSystemInfo.UserName
Set objUser = GetObject("LDAP://" & strUserDN)

intPrimaryGroupID = objUser.Get("primaryGroupID")
If intPrimaryGroupID = 512 Then
      WScript.Echo "User is a member of Domain Admins"
ElseIf intPrimaryGroupID = 513 Then
      WScript.Echo "User is a member of Domain Users"
End If

There are more Primary Group IDs, every single group in AD has one of them, but unless you really need it I won't post anything that shows how you can find the membership regardless of primary group.


bevco7Author Commented:
Hi Chris,

Thanks for the response.  Unfortunately I don't have the first idea about VBScript, and the application (Confluence Wiki, using the "memberOf" attribute is written in Java.  It might be specific to the program, but is there a way to supply an attribute as "memberOf + text version of primaryGroup"?


Chris DentPowerShell DeveloperCommented:

I'm afraid we won't be able to add extra attributes into the directory to create a true group list.

You may find the easiest solution is just to change the Primary Group (the default is Domain Users and there's no real need for it to be anything else). If you do that then the current primary group will be available in the memberOf Attribute as normal.

Alternatively, can you base whatever Confluence is using around a different group?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bevco7Author Commented:
Looks like that's what I'll have to do.  I'll create AD Confluence Users and Confluence Admins groups and then add Domain Users and Domain Admins to these groups.  It's highly unlikely that anyone will end up with these as their primary groups.

Thanks for your help,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.