none
Can't get all member objects from Domain Users in LDAP RRS feed

  • Question

  • Hi I'm connecting to an active directory but I'm not able to get all of the user objects in the Domain Users group.

    I've tried several queries; which only return me 41 user objects instead of the 1043 that Active Directory shows through the UI.

    Queries:

    memberOf=CN=Domain Users,OU=ou2,OU=ou1,DC=subdomain,DC=domain,DC=com (41 results)

    (&(memberOf=CN=Domain Users,OU=ou2,OU=ou1,DC=subdomain,DC=domain,DC=com)(objectcategory=person)) (41 results)

    I tried these queries in the following clients:

    • WebSphere Portal (Not an actual client)
    • LDAP Admin
    • Softerra LDAP Administrator
    • Active Directory Users and Computers (Find: Custom Search>Advanced)

    So basically whenever I perform the LDAP query manually I always get the same results.

    Now by browsing through the directory in Active Directory as well as Softerra's LDAP Administrator 

    I'm able to find all 1043 users. 

    Is there a way to find all this users with a different query or something else?

    Wednesday, June 15, 2011 10:13 PM

Answers

  • Most methods do not reveal membership in the "primary" group. For most users, the "primary" group should be "Domain Users". Specifically, the memberOf attribute of user objects, and the member attribute of group objects, never reveals "primary" group membership. In most domains, the member attribute of the "Domain Users" group is empty, and it is safe to assume that all users belong to this group.

    If you need to query for all users that have "Domain Users" designated as their "primary", search for all users whose primaryGroupID attribute is 513. The primaryGroupToken attribute of the group "Domain Users" is the same integer, 513. The LDAP syntax filter could be:

    (primaryGroupID=513)

    Or, to find all direct members of "Domain Users", plus all users that have this group designated as their "primary":

    (|(memberOf=cn=Domain Users,cn=Users,dc=MyDomain,dc=com)(primaryGroupID=513))

    To find all users that have some other group designated as their "primary", the filter could be:

    (&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))

     


    Richard Mueller - MVP Directory Services
    • Marked as answer by ZychoFlow Thursday, June 16, 2011 2:09 PM
    Wednesday, June 15, 2011 10:29 PM

All replies

  • Most methods do not reveal membership in the "primary" group. For most users, the "primary" group should be "Domain Users". Specifically, the memberOf attribute of user objects, and the member attribute of group objects, never reveals "primary" group membership. In most domains, the member attribute of the "Domain Users" group is empty, and it is safe to assume that all users belong to this group.

    If you need to query for all users that have "Domain Users" designated as their "primary", search for all users whose primaryGroupID attribute is 513. The primaryGroupToken attribute of the group "Domain Users" is the same integer, 513. The LDAP syntax filter could be:

    (primaryGroupID=513)

    Or, to find all direct members of "Domain Users", plus all users that have this group designated as their "primary":

    (|(memberOf=cn=Domain Users,cn=Users,dc=MyDomain,dc=com)(primaryGroupID=513))

    To find all users that have some other group designated as their "primary", the filter could be:

    (&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))

     


    Richard Mueller - MVP Directory Services
    • Marked as answer by ZychoFlow Thursday, June 16, 2011 2:09 PM
    Wednesday, June 15, 2011 10:29 PM
  • Thank you Richard!

    I had the sneaking suspicion that it had somemthing to do with the PrimaryGroup.

    Thanks for clearing this up for me.

     

    Do know of any official documentation that may explain this issue?

    Thursday, June 16, 2011 2:19 PM
  • This link documents some of this information:

    http://support.microsoft.com/kb/321360

     


    Richard Mueller - MVP Directory Services
    Thursday, June 16, 2011 9:03 PM