RE: Getting the list of members in an AD group
Domain Users is not necessarily a primary group. Any group can be the primary group for a
user. Primary group membership is stored as an attribute of the user and is not reflected
in the member collection for a group or the memberOf collection for the user. Primary
groups are a Windows NT "feature" that was carried forward in to AD in order to
support hybrid NT/AD domains. You must take this into account when querying AD group
memberships.
-Jon C. Kidder
American Electric Power
Middleware Services
Email: jckidder(a)aep.com
Phone: 614-716-4970
-----Original Message-----
From: openldap-technical-bounces(a)OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Harry Jede
Sent: Friday, April 11, 2014 11:16 AM
To: openldap-technical(a)openldap.org
Cc: Sankar P; Mark Pröhl
Subject: Re: Getting the list of members in an AD group
This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments.
**********************************************************************
Sankar P wrote:
The group whose SID that I am trying to take is the default
"Domain
Users" group. The ldapsearch query too fails for that but for any
other custom groups, the membership information is printed. So is
there a different style that we should follow for getting the "Domain
Users" group members ?
Yes.
"Domain Users" is a primary group, membership is stored in the user object.
--
Harry Jede