• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1693
  • Last Modified:

Primary Group in Active Directory

While answering another question I cam across references to the 'Primary Group' and changing the 'Primary Group' of us user in Active Directory.

Despiet being a Windows 2000 and 2003 MCSE as well and have extensive systems management experience as well  I've never come across this before and an still at a lost as to exactly what its function is?

Can anyone shed any light on exactly what purpose the 'Primary Group' serves and why I might wnt to change it for a user?

I have a reference to http://technet2.microsoft.com/windowsserver/en/library/29d56071-f744-4626-8df5-3ca77a60b6be1033.mspx?mfr=true which details how to change the 'Primary Group' but why would I want to do this?

Brian Pierce
Brian Pierce
4 Solutions
It may apply to some cross-platform (i.e., Linux & UNIX) authentication features.

If I remember correctly from my NT4 days it had to do with POSIX compatibility. Beyond that I've never seen it used.

Toni UranjekConsultant/TrainerCommented:

The user's primary group is only relevant for users who log on to the network from a Macintosh client or who are running POSIX-compliant applications. Unless you are using these services, there is no need to change the primary group from Domain Users, which is the default value.

This blog entry explains how exactly does primary group differ from other groups:


Brian PiercePhotographerAuthor Commented:
Interesting - but I've now read it three times and I'm still not sure what in practical terms its actually used for. Also the article suggests that the reason for the primary group is because not subject to the 5000 object limit implicit in Windows 2000 AD - so what use is it in Windows 2003 which does noot have the 5000 limit?

I'm just as confused as ever !
Toni UranjekConsultant/TrainerCommented:
AFAIK, no practical use in Windows 2003 environment other than backwards compatibilty or compatibilty with Macs or POSIX.
You can find more things in AD that are implemented for compatibilty reasons or to comply with standards which have nothing to do with AD. ;)
I can list at couple other things which are not important in AD environment, but hey are implemented to comply with standards (inetorgperson, plenty of DHCP options not accepted by MS clients, or custom application partitions which are I believe completely MS idea, but I had always trouble explaining to students what are they for).
The primary group was originally designed for the reasons outlined above; compatibility with OSs that exploit the concept of a 'Group owner'.  This is true to say of *nix and pre-*nix Macs.

Later, the primary group offered a convenient means by which Microsoft could circumvent the linked-value multi-value limitation in Windows 2000 (and even Windows 2003 pre-forest-functional-level 1) of 5000 direct values (imagine upgrading an NT4 domain of 20,000 users to Windows 2000 only to be told that you can't have all of your users in the Domain Users group because the brand-spanking-new database just can't hack it).  The primary group achieves this by maintaining the group membership in a distributed manner as opposed to in one large lump.  As you know, in a normal user-to-group relationship, membership is maintained by the link-valued multi-valued group property "member" which can also be looked at in the opposite direction from the user object's perspective using the other half of the link-pair "memberof".  In the case of a user's primary group, the group itself has no knowledge whatsoever that the user is in fact a member ... only the user maintains that information.  

User's maintain their primary group membership using the "primaryGroupID" property, the group is identified by its RID stored as a simple INTEGER.  The RID serves as sufficient identification data because a user's primary group must reside in the same domain as they do.  This, therefore, permits the primary group's SID to be inferred by taking the user's SID and substituting the user's RID with the RID of the group, i.e. -

user's objectSID = S-1-5-21-1993962763-746137067-725345543-192243
user's primary group RID = 513
calculated primary group SID = S-1-5-21-1993962763-746137067-725345543-513

Hope that helps.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now