If you can see the user on the Members tab in ADUC, then the user is a
direct member of the group. The only way the DN of the user will not be in
the "member" attribute of the group object is if the user has the group
designated as their "primary" group (or the membership was just changed and
has not yet replicated to all DC's). When you removed the user from the
group did you assign some other group as "primary"? If so, when you added
the user back into the group the DN was added to the "member" attribute
because the user no longer had the group designated as their "primary". Does
that explain what you saw? Click on the user in ADUC, check the Member Of
tab, and find which group is listed as "Primary group" near the bottom.
The memberOf attribute of the user includes the DN of all groups the user is
a direct member, except the group designated as the "primary" group of the
user. The member attriute of any group includes the DN of all direct
members, except any that have the group designated as their "primary".
--
Richard Mueller
MVP Directory Services
Hilltop Lab -
http://www.rlmueller.net
--
"dln" <> wrote in message
news:53B2FC4B-D2BD-4D03-B3E9-...
> So to resolve this, I removed my account from the group via AD Users and
> Computers and then added my account's distinguishedName via adsiedit. It
> fixed it, but I'm still curious as to how the group arrived in the state
> it was in to begin with.
>
> Cheers.
>
> "dln" <> wrote in message
> news:5E662752-A713-4139-B353-...
>> Hello all,
>>
>> I've just run across a problem I've never seen before and was hoping
>> someone could help me with it. We have an in-house (.NET) application
>> that uses LDAP to query Active Directory (Server 2003 R2 native mode) and
>> check if a user is a member of a specific group. With certain accounts
>> (mine included), this check fails. For other accounts, this same check
>> succeeds. I have replicated the call the .NET application uses via LDP
>> and the following query yields no results from within LDP, either:
>>
>> (&(objectClass=group)(CN=Corporate)(member=<my user account's
>> distinguishedName goes here>))
>>
>> I started digging a bit further into it and via Active Directory Users
>> and Computers, I can see my account as a member of the group in question.
>> However, if I look at the "member" attribute of the group via
>> adsiedit.msc, my account's distingishedName is nowhere to be found. For
>> that matter, my account doesn't appear in any of the group's LDAP
>> attributes. If I attempt to add my user account's distingishedName
>> directly to the member attribute of the group through adsiedit, adsiedit
>> fails stating that the user is already a member of the group (yes I know,
>> modifying data via adsiedit is not recommended but I'm grasping at straws
>> at this point). My account is in there somewhere, it's just not being
>> reported back via the LDAP properties.
>>
>> How is it that I can be a member of this group, yet not see a reference
>> to my account anywhere within the group's LDAP properties? Is there a
>> different attribute I should be looking at?
>>
>> Thanks.
>
Similar Threads
Linear Mode
