Primary Group in Active Directory

Posted on 2007-08-03
Last Modified: 2013-11-05
While answering another question I cam across references to the 'Primary Group' and changing the 'Primary Group' of us user in Active Directory.

Despiet being a Windows 2000 and 2003 MCSE as well and have extensive systems management experience as well  I've never come across this before and an still at a lost as to exactly what its function is?

Can anyone shed any light on exactly what purpose the 'Primary Group' serves and why I might wnt to change it for a user?

I have a reference to which details how to change the 'Primary Group' but why would I want to do this?

Question by:KCTS
    LVL 26

    Assisted Solution

    It may apply to some cross-platform (i.e., Linux & UNIX) authentication features.

    If I remember correctly from my NT4 days it had to do with POSIX compatibility. Beyond that I've never seen it used.

    LVL 31

    Assisted Solution

    by:Toni Uranjek

    The user's primary group is only relevant for users who log on to the network from a Macintosh client or who are running POSIX-compliant applications. Unless you are using these services, there is no need to change the primary group from Domain Users, which is the default value.

    This blog entry explains how exactly does primary group differ from other groups:


    LVL 70

    Author Comment

    Interesting - but I've now read it three times and I'm still not sure what in practical terms its actually used for. Also the article suggests that the reason for the primary group is because not subject to the 5000 object limit implicit in Windows 2000 AD - so what use is it in Windows 2003 which does noot have the 5000 limit?

    I'm just as confused as ever !
    LVL 31

    Assisted Solution

    by:Toni Uranjek
    AFAIK, no practical use in Windows 2003 environment other than backwards compatibilty or compatibilty with Macs or POSIX.
    You can find more things in AD that are implemented for compatibilty reasons or to comply with standards which have nothing to do with AD. ;)
    I can list at couple other things which are not important in AD environment, but hey are implemented to comply with standards (inetorgperson, plenty of DHCP options not accepted by MS clients, or custom application partitions which are I believe completely MS idea, but I had always trouble explaining to students what are they for).
    LVL 9

    Accepted Solution

    The primary group was originally designed for the reasons outlined above; compatibility with OSs that exploit the concept of a 'Group owner'.  This is true to say of *nix and pre-*nix Macs.

    Later, the primary group offered a convenient means by which Microsoft could circumvent the linked-value multi-value limitation in Windows 2000 (and even Windows 2003 pre-forest-functional-level 1) of 5000 direct values (imagine upgrading an NT4 domain of 20,000 users to Windows 2000 only to be told that you can't have all of your users in the Domain Users group because the brand-spanking-new database just can't hack it).  The primary group achieves this by maintaining the group membership in a distributed manner as opposed to in one large lump.  As you know, in a normal user-to-group relationship, membership is maintained by the link-valued multi-valued group property "member" which can also be looked at in the opposite direction from the user object's perspective using the other half of the link-pair "memberof".  In the case of a user's primary group, the group itself has no knowledge whatsoever that the user is in fact a member ... only the user maintains that information.  

    User's maintain their primary group membership using the "primaryGroupID" property, the group is identified by its RID stored as a simple INTEGER.  The RID serves as sufficient identification data because a user's primary group must reside in the same domain as they do.  This, therefore, permits the primary group's SID to be inferred by taking the user's SID and substituting the user's RID with the RID of the group, i.e. -

    user's objectSID = S-1-5-21-1993962763-746137067-725345543-192243
    user's primary group RID = 513
    calculated primary group SID = S-1-5-21-1993962763-746137067-725345543-513

    Hope that helps.

    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Learn about cloud computing and its benefits for small business owners.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now