Missing "memberof" ldap attribute

Discussion in 'Active Directory' started by Chris, Nov 20, 2009.

  1. Chris

    Chris Guest

    We have users that are missing the "memberof" ldap attribute when they belong
    to domain security groups. If you look in the ADUC, it shows the user is a
    member of multiple groups. When you look at the users LDAP attributes (using
    3rd party tool Softera LDAP browser), the "memberof" attribute is missing
    alltogether. Any ideas what might be happening? I don't see any errors in the
    event logs.

    I have domain admin permissions and that has no effect on whether it shows
    or not. I have also created new ID's and it also has the same issue.

    thanks,
    Chris
     
    Chris, Nov 20, 2009
    #1
    1. Advertisements

  2. I'm not familiar with the Softera browser. What do you see when you use Joe
    Richards' free adfind utility. For example, for user with "pre-Windows 2000
    logon" name jsmith:

    adfind -default -f "(sAMAccountName=jsmith)" memberOf

    Note that the number of values in the memberOf attribute will always be one
    less than the number of direct group memberships shown in ADUC, because the
    "primary" group (usually "Domain Users") is never included. Also, if the
    user is a member of only their "primary" group, the memberOf attribute has
    no values and technically nothing is saved in AD, so perhaps it appears
    there is no memberOf attribute. Ather tools you can use are ADSI Edit and
    ldp.exe.
     
    Richard Mueller [MVP], Nov 20, 2009
    #2
    1. Advertisements

  3. Chris

    Chris Guest

    Richard,

    I used the tool and it does list the memberOf groups correctly. But we have
    some third party apps that aren't working correctly. I believe that when
    these apps query for the LDAP attributes, it is not finding them
    (specifically memberOf).

    So when i used (Softera ..which is free) I see that the memberOf attribute
    is missing. I also have since found out that the useraccountcontrol is also
    not listed.

    I found an instance in which you responded to someone else having a similar
    issue.

    This is how they fixed the problem:

    The group Authenticated Users needs the permission Read to be set to
    'Allow'. All the users objects we've been missing from our query results do
    not have this permission set. When this permission is set correct they
    appear in the results.


    Might this be my issue and how would I verify this. I'm looking in the ADUC
    with Advanced Features and this group is set. Is it something else?
     
    Chris, Nov 25, 2009
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.