Announcement

Collapse
No announcement yet.

Group(s) not showing up in the Memberof property for users

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group(s) not showing up in the Memberof property for users

    First, I did search.

    I have a multiple domain environment within a single forest. The functional level of the forest is Server 2003 and the functional level of each domain is Server 2003.

    Say I have two domains, A and B.

    I have two service accounts, user1 and user2, in the A domain. They are members of a domain local group in domain B.

    If you bring up the properties of the users in ADUC, this group is not listed in their memberof tab. Even though they are actually members of the group. If you try to add the group to the user, ADUC will say "this user is already a member of this group".


    If go to the group itself, the group will show that these two accounts are members in the group.


    It looks like it is cross domain issue. I have even deleted the users from the group and readded them with the same results. If you go to the user accounts and add the group to the user and click 'Apply', it adds the group and the group name automatically disappears in the GUI.


    With Quest, If I do a get-qaduser and then view their .MemberOf there is nothing. Not even Domain Users. These two accounts are both members of 3 groups btw. The .NestedMemberOf and .AllMemberOf are also both blank.

    If you go to the group and pull the group membership, the users show up.

    If I add a user from domain B into this same group from domain B, the group shows up in ADUC and get-qaduser for that user. That is why I think it is a cross domain issue.

    I did some preliminary checks with DCDiag and repadmin /replsummary * and it does not appear to be a replication issue between the domains.

    I've run out of ideas.

  • #2
    Re: Group(s) not showing up in the Memberof property for users

    In short - I think what you are seeing is perfectly normal. But if you want the long explanation then read on

    Originally posted by Austin111 View Post
    With Quest, If I do a get-qaduser and then view their .MemberOf there is nothing. Not even Domain Users.
    You wouldn't see Domain Users in there (assuming you have Domain Users as the user's primary group anyway) because primary groups are not stored in the MemberOf attribute. The SID of the primary group is stored in the PrimaryGroupID attribute of the user - as Domain Users is a "well known security principal" it has the same SID on every domain so I can tell you that the PrimaryGroupID attribute for any account that has Domain Users as its primary group should have a value of 513 (and 512 is Domain Admins... or it might be the other way round but you get the idea ).

    Originally posted by Austin111 View Post
    These two accounts are both members of 3 groups btw. The .NestedMemberOf and .AllMemberOf are also both blank.
    If these 3 groups are all groups that are in the other domain then that's correct as well as I believe the MemberOf attribute of a user only holds references to groups that are in the same domain as the user.

    When you look at a user account in ADUC then you are just reading the attributes of that user object from the domain that the user object is stored in. That domain has no knowledge of the fact that the account is a member of a group in another domain because as I mentioned above, the MemberOf attribute only holds information about groups in the local domain. A group's list of members however are stored with the group itself, so when you look at the group in the other domain then you do see the reference to that user from the first domain.

    If you want to be sure all is working correctly though, the easiest way is to just test it. Add the user to a group in the other domain, deny that group access to something that the user would otherwise have access to, log on as the user and try and access that resource and see if it is allowed or not
    Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

    My blog: http://cjwdev.wordpress.com

    Comment

    Working...
    X