Missing "memberof" ldap attribute

We have users that are missing the "memberof" ldap attribute when they belong
to domain security groups. If you look in the ADUC, it shows the user is a
member of multiple groups. When you look at the users LDAP attributes (using
3rd party tool Softera LDAP browser), the "memberof" attribute is missing
alltogether. Any ideas what might be happening? I don't see any errors in the
event logs.

I have domain admin permissions and that has no effect on whether it shows
or not. I have also created new ID's and it also has the same issue.

thanks,
Chris

"Chris" <> wrote in message
news:91AC26F0-BC91-439F-9448-...
> We have users that are missing the "memberof" ldap attribute when they
> belong
> to domain security groups. If you look in the ADUC, it shows the user is a
> member of multiple groups. When you look at the users LDAP attributes
> (using
> 3rd party tool Softera LDAP browser), the "memberof" attribute is missing
> alltogether. Any ideas what might be happening? I don't see any errors in
> the
> event logs.
>
> I have domain admin permissions and that has no effect on whether it shows
> or not. I have also created new ID's and it also has the same issue.
>
> thanks,
> Chris

I'm not familiar with the Softera browser. What do you see when you use Joe
Richards' free adfind utility. For example, for user with "pre-Windows 2000
logon" name jsmith:

adfind -default -f "(sAMAccountName=jsmith)" memberOf

Note that the number of values in the memberOf attribute will always be one
less than the number of direct group memberships shown in ADUC, because the
"primary" group (usually "Domain Users") is never included. Also, if the
user is a member of only their "primary" group, the memberOf attribute has
no values and technically nothing is saved in AD, so perhaps it appears
there is no memberOf attribute. Ather tools you can use are ADSI Edit and
ldp.exe.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Richard,

I used the tool and it does list the memberOf groups correctly. But we have
some third party apps that aren't working correctly. I believe that when
these apps query for the LDAP attributes, it is not finding them
(specifically memberOf).

So when i used (Softera ..which is free) I see that the memberOf attribute
is missing. I also have since found out that the useraccountcontrol is also
not listed.

I found an instance in which you responded to someone else having a similar
issue.

This is how they fixed the problem:

The group Authenticated Users needs the permission Read to be set to
'Allow'. All the users objects we've been missing from our query results do
not have this permission set. When this permission is set correct they
appear in the results.


Might this be my issue and how would I verify this. I'm looking in the ADUC
with Advanced Features and this group is set. Is it something else?




"Richard Mueller [MVP]" wrote:

>
> "Chris" <> wrote in message
> news:91AC26F0-BC91-439F-9448-...
> > We have users that are missing the "memberof" ldap attribute when they
> > belong
> > to domain security groups. If you look in the ADUC, it shows the user is a
> > member of multiple groups. When you look at the users LDAP attributes
> > (using
> > 3rd party tool Softera LDAP browser), the "memberof" attribute is missing
> > alltogether. Any ideas what might be happening? I don't see any errors in
> > the
> > event logs.
> >
> > I have domain admin permissions and that has no effect on whether it shows
> > or not. I have also created new ID's and it also has the same issue.
> >
> > thanks,
> > Chris
>
> I'm not familiar with the Softera browser. What do you see when you use Joe
> Richards' free adfind utility. For example, for user with "pre-Windows 2000
> logon" name jsmith:
>
> adfind -default -f "(sAMAccountName=jsmith)" memberOf
>
> Note that the number of values in the memberOf attribute will always be one
> less than the number of direct group memberships shown in ADUC, because the
> "primary" group (usually "Domain Users") is never included. Also, if the
> user is a member of only their "primary" group, the memberOf attribute has
> no values and technically nothing is saved in AD, so perhaps it appears
> there is no memberOf attribute. Ather tools you can use are ADSI Edit and
> ldp.exe.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
> .
>