RE: [ActiveDir] memberOf and member link breaking

[joe]

If a user is removed from a group, the member attribute should be updated immediately. That is the actual change occurring.   The only time I would expect a disjoint is if a user in domain1 is deleted, renamed, or moved and the phantom wasn't updated properly in domain2 in which the user is one or more groups. At that point domain2 DCs (that aren't GCs) could get a little confused as to the membership of the groups.   Also if a user is in domain1 and the group is in domain2, the user's memberof attribute would not reflect the membership of the group UNLESS one of the following is true   1. The group is universal scope and you are querying a GC. 2. The group is any type scope and you are querying a GC that happens to be a DC for domain2.   I am not in any way shape or form talking about the GUI. The GUI interprets things and the interpretation can vary based on the version of the tool, I am talking about actual real values you are seeing when looking at the directory raw.     I would look at the member attribute on the group in question with adfind or some other LDAP tool which doesn't try to interpret the info for you (LDP, ADSIEDIT, etc). Whatever you see is the actual current membership (for that DC). If you see something that shouldn't be there, use ADMOD (or LDP/ADSIEDIT) to remove the member. The group should update immediately on that DC. If it doesn't, what is the error message (you can use -exterr with ADMOD to get additional error info).        joe   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Friday, August 11, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] memberOf and member link breaking I have seen this a few times now (Windows 2003 Sp1) where someone will remove a user from a distribution group and it will update the memberOf attribute of the user, but not the member attribute of the group.  The user object is in a different domain then the group if that matters.  It does not appear to be replication related as things are replicating just fine in my testing.  Has anyone seen this before or have any suggestions on what it might be?   When looking at the group’s membership list in ADUC, the icon of the unlinked user object that is listed on the members tab is actually kind of grayed out, but I’m sure I could just manually delete it, but I’d like to find out what is causing this and fix it.  Any suggestions would be awesome.   Best regards, Steven