Re: Group(s) not showing up in the Memberof property for users

Home Forums Microsoft Networking and Management Services Active Directory Group(s) not showing up in the Memberof property for users Re: Group(s) not showing up in the Memberof property for users


chris128
Member
#309130

Re: Group(s) not showing up in the Memberof property for users

In short – I think what you are seeing is perfectly normal. But if you want the long explanation then read on :-)

Austin111;216734 wrote:
With Quest, If I do a get-qaduser and then view their .MemberOf there is nothing. Not even Domain Users.

You wouldn’t see Domain Users in there (assuming you have Domain Users as the user’s primary group anyway) because primary groups are not stored in the MemberOf attribute. The SID of the primary group is stored in the PrimaryGroupID attribute of the user – as Domain Users is a “well known security principal” it has the same SID on every domain so I can tell you that the PrimaryGroupID attribute for any account that has Domain Users as its primary group should have a value of 513 (and 512 is Domain Admins… or it might be the other way round but you get the idea :p).

Austin111;216734 wrote:
These two accounts are both members of 3 groups btw. The .NestedMemberOf and .AllMemberOf are also both blank.

If these 3 groups are all groups that are in the other domain then that’s correct as well as I believe the MemberOf attribute of a user only holds references to groups that are in the same domain as the user.

When you look at a user account in ADUC then you are just reading the attributes of that user object from the domain that the user object is stored in. That domain has no knowledge of the fact that the account is a member of a group in another domain because as I mentioned above, the MemberOf attribute only holds information about groups in the local domain. A group’s list of members however are stored with the group itself, so when you look at the group in the other domain then you do see the reference to that user from the first domain.

If you want to be sure all is working correctly though, the easiest way is to just test it. Add the user to a group in the other domain, deny that group access to something that the user would otherwise have access to, log on as the user and try and access that resource and see if it is allowed or not :)