Domain Users is not necessarily a primary group. Any group can be the primary group for a user. Primary group membership is stored as an attribute of the user and is not reflected in the member collection for a group or the memberOf collection for the user. Primary groups are a Windows NT "feature" that was carried forward in to AD in order to support hybrid NT/AD domains. You must take this into account when querying AD group memberships.
-Jon C. Kidder American Electric Power Middleware Services Email: jckidder@aep.com Phone: 614-716-4970
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Harry Jede Sent: Friday, April 11, 2014 11:16 AM To: openldap-technical@openldap.org Cc: Sankar P; Mark Pröhl Subject: Re: Getting the list of members in an AD group
This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments.
********************************************************************** Sankar P wrote:
The group whose SID that I am trying to take is the default "Domain Users" group. The ldapsearch query too fails for that but for any other custom groups, the membership information is printed. So is there a different style that we should follow for getting the "Domain Users" group members ?
Yes.
"Domain Users" is a primary group, membership is stored in the user object.