It would appear that 4 of your DAs have domain admins as
their primary group. Primary group membership is maintained differently due to
the issues with large linked value attributes in Windows 2000. Instead of the
membership being recorded with the group, the group's RID is stuffed in the
primaryGroupID attribute of the user itself.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, August 23, 2005 6:43 PM
To: [email protected]
Subject: [ActiveDir] adfind / dsquery Group Membership incomplete
Hi
-
I must be missing
something very basic. Why is it that when I run one of the following queries, I
only get seven of the 11 objects that show up in the Domain Admins when
using the dsa.msc?
adfind -b
dc=company,dc=com -f "objectclass=group" member
dsquery group -name "Domain Admins" | dsget group -members
dsquery group -name "Domain Admins" | dsget group -members
Thanks,
--
nme
