RESEND:
Unfortunately no this isn't corrected in 2003 but I have
made a request for it to be changed. I expect it won't be changed because it
would impact anyone who figured out how to get the membership properly before.
Basically something dumb that has to go on staying dumb because of legacy
reasons.
You could set up a query to be like
adfind -b dc=domain,dc=com -f
"|(&(objectcategory=group)(name=domain admins))(primarygroupid=512)"
member
Unfortunately your answer is going to be in multiple spots.
For any primary group folks, the user object will be returned in the DN. For the
folks who aren't using domain admins as primary they will be returned in the
member attribute of the returned group object.
You need to set up some process to add the users with the
primary membership set to DAs to the Domain Users group. Then you will change
the primarygroupid for them to 513. This is probably a good thing to do via
script.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, August 23, 2005 7:08 PM
To: [email protected]
Subject: RE: [ActiveDir] adfind / dsquery Group Membership incomplete
Thanks. That explains it. (With some poking around, I
discovered the correlation but not the reason.) How would I construct a query to
capture both the Group and Primary Group membership? Is there a way (besides
clicking) to simply set the Primary for all users back to Domain Users? Is this
corrected in 2003?
-- nme
From: joe [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 23, 2005 3:53 PM
To: [email protected]
Subject: RE: [ActiveDir] adfind / dsquery Group Membership incompleteIt would appear that 4 of your DAs have domain admins as their primary group. Primary group membership is maintained differently due to the issues with large linked value attributes in Windows 2000. Instead of the membership being recorded with the group, the group's RID is stuffed in the primaryGroupID attribute of the user itself.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, August 23, 2005 6:43 PM
To: [email protected]
Subject: [ActiveDir] adfind / dsquery Group Membership incompleteHi -I must be missing something very basic. Why is it that when I run one of the following queries, I only get seven of the 11 objects that show up in the Domain Admins when using the dsa.msc?adfind -b dc=company,dc=com -f "objectclass=group" member
dsquery group -name "Domain Admins" | dsget group -membersThanks,-- nme
