Home › Forums › Microsoft Networking and Management Services › Active Directory › Group(s) not showing up in the Memberof property for users › Re: Group(s) not showing up in the Memberof property for users
Re: Group(s) not showing up in the Memberof property for users
In short – I think what you are seeing is perfectly normal. But if you want the long explanation then read on :-)
You wouldn’t see Domain Users in there (assuming you have Domain Users as the user’s primary group anyway) because primary groups are not stored in the MemberOf attribute. The SID of the primary group is stored in the PrimaryGroupID attribute of the user – as Domain Users is a “well known security principal” it has the same SID on every domain so I can tell you that the PrimaryGroupID attribute for any account that has Domain Users as its primary group should have a value of 513 (and 512 is Domain Admins… or it might be the other way round but you get the idea :p).
If these 3 groups are all groups that are in the other domain then that’s correct as well as I believe the MemberOf attribute of a user only holds references to groups that are in the same domain as the user.
When you look at a user account in ADUC then you are just reading the attributes of that user object from the domain that the user object is stored in. That domain has no knowledge of the fact that the account is a member of a group in another domain because as I mentioned above, the MemberOf attribute only holds information about groups in the local domain. A group’s list of members however are stored with the group itself, so when you look at the group in the other domain then you do see the reference to that user from the first domain.
If you want to be sure all is working correctly though, the easiest way is to just test it. Add the user to a group in the other domain, deny that group access to something that the user would otherwise have access to, log on as the user and try and access that resource and see if it is allowed or not :)