|
So some more information.
The group is a universal group in domainA, the user is in domainB. I
looked at the user object using ADFIND (my favorite tool..thanks Joe!) and sure
enough it shows that the user is indeed still a member of the list, but using
ADUC it doesn’t show that (as you suggested). The whole reason this
is coming up is that people are sending mail to this list and Exchange is
generating a DSN because of this problem. I was able to manually remove
the user from the list using ADUC (from the group and it did indeed replicate
to the user in the other domain, verified with ADFIND). So now that I’ve fixed
this instance of the problem I’m wondering what is causing it. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe If a user is removed from a group, the member attribute should be
updated immediately. That is the actual change occurring. The only time I would expect a disjoint is if a user in domain1 is
deleted, renamed, or moved and the phantom wasn't updated properly in domain2
in which the user is one or more groups. At that point domain2 DCs
(that aren't GCs) could get a little confused as to the membership of the
groups. Also if a user is in domain1 and the group is in domain2, the
user's memberof attribute would not reflect the membership of the group UNLESS
one of the following is true 1. The group is universal scope and you are querying a GC. 2. The group is any type scope and you are querying a GC that
happens to be a DC for domain2. I am not in any way shape or form talking about the GUI. The GUI
interprets things and the interpretation can vary based on the version of the
tool, I am talking about actual real values you are seeing when looking at the
directory raw. I would look at the member attribute on the group in question with
adfind or some other LDAP tool which doesn't try to interpret the info for you
(LDP, ADSIEDIT, etc). Whatever you see is the actual current membership (for
that DC). If you see something that shouldn't be there, use ADMOD (or
LDP/ADSIEDIT) to remove the member. The group should update immediately on that
DC. If it doesn't, what is the error message (you can use -exterr with ADMOD to
get additional error info). joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven I have seen this a few times now (Windows 2003 Sp1) where
someone will remove a user from a distribution group and it will update the
memberOf attribute of the user, but not the member attribute of the
group. The user object is in a different domain then the group if that
matters. It does not appear to be replication related as things are
replicating just fine in my testing. Has anyone seen this before or have
any suggestions on what it might be? When looking at the group’s membership list in ADUC,
the icon of the unlinked user object that is listed on the members tab is
actually kind of grayed out, but I’m sure I could just manually delete
it, but I’d like to find out what is causing this and fix it. Any
suggestions would be awesome. Best regards, Steven |
- RE: [ActiveDir] memberOf and member link breaking Presley, Steven
