[Last Call] Learn how to a build a cloud-first strategyRegister Now


Primary Group in Active Directory

Posted on 2007-08-03
Medium Priority
Last Modified: 2013-11-05
While answering another question I cam across references to the 'Primary Group' and changing the 'Primary Group' of us user in Active Directory.

Despiet being a Windows 2000 and 2003 MCSE as well and have extensive systems management experience as well  I've never come across this before and an still at a lost as to exactly what its function is?

Can anyone shed any light on exactly what purpose the 'Primary Group' serves and why I might wnt to change it for a user?

I have a reference to http://technet2.microsoft.com/windowsserver/en/library/29d56071-f744-4626-8df5-3ca77a60b6be1033.mspx?mfr=true which details how to change the 'Primary Group' but why would I want to do this?

Question by:KCTS
LVL 26

Assisted Solution

MidnightOne earned 400 total points
ID: 19624819
It may apply to some cross-platform (i.e., Linux & UNIX) authentication features.

If I remember correctly from my NT4 days it had to do with POSIX compatibility. Beyond that I've never seen it used.

LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 800 total points
ID: 19630141

The user's primary group is only relevant for users who log on to the network from a Macintosh client or who are running POSIX-compliant applications. Unless you are using these services, there is no need to change the primary group from Domain Users, which is the default value.

This blog entry explains how exactly does primary group differ from other groups:


LVL 70

Author Comment

ID: 19632024
Interesting - but I've now read it three times and I'm still not sure what in practical terms its actually used for. Also the article suggests that the reason for the primary group is because not subject to the 5000 object limit implicit in Windows 2000 AD - so what use is it in Windows 2003 which does noot have the 5000 limit?

I'm just as confused as ever !
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 800 total points
ID: 19632079
AFAIK, no practical use in Windows 2003 environment other than backwards compatibilty or compatibilty with Macs or POSIX.
You can find more things in AD that are implemented for compatibilty reasons or to comply with standards which have nothing to do with AD. ;)
I can list at couple other things which are not important in AD environment, but hey are implemented to comply with standards (inetorgperson, plenty of DHCP options not accepted by MS clients, or custom application partitions which are I believe completely MS idea, but I had always trouble explaining to students what are they for).

Accepted Solution

MSE-dwells earned 800 total points
ID: 19649198
The primary group was originally designed for the reasons outlined above; compatibility with OSs that exploit the concept of a 'Group owner'.  This is true to say of *nix and pre-*nix Macs.

Later, the primary group offered a convenient means by which Microsoft could circumvent the linked-value multi-value limitation in Windows 2000 (and even Windows 2003 pre-forest-functional-level 1) of 5000 direct values (imagine upgrading an NT4 domain of 20,000 users to Windows 2000 only to be told that you can't have all of your users in the Domain Users group because the brand-spanking-new database just can't hack it).  The primary group achieves this by maintaining the group membership in a distributed manner as opposed to in one large lump.  As you know, in a normal user-to-group relationship, membership is maintained by the link-valued multi-valued group property "member" which can also be looked at in the opposite direction from the user object's perspective using the other half of the link-pair "memberof".  In the case of a user's primary group, the group itself has no knowledge whatsoever that the user is in fact a member ... only the user maintains that information.  

User's maintain their primary group membership using the "primaryGroupID" property, the group is identified by its RID stored as a simple INTEGER.  The RID serves as sufficient identification data because a user's primary group must reside in the same domain as they do.  This, therefore, permits the primary group's SID to be inferred by taking the user's SID and substituting the user's RID with the RID of the group, i.e. -

user's objectSID = S-1-5-21-1993962763-746137067-725345543-192243
user's primary group RID = 513
calculated primary group SID = S-1-5-21-1993962763-746137067-725345543-513

Hope that helps.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question