|
I would say that whomever removed the user from the group,
didn't really remove the user from the group for whatever reason. ADUC has some
special handling around universal groups and the memberof tab that others I am
sure will pipe in with or you can search the archives, I seem to recall Guido
speaking to this at length a couple of times. I am not a huge GUI kind of guy so
I don't have the details on the tip of my tongue.
I recommend when managing group membership, go to the
actual group and manage from there.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Friday, August 11, 2006 12:07 PM To: [email protected] Subject: RE: [ActiveDir] memberOf and member link breaking So some more information.
The group is a universal group in domainA, the user is in domainB. I
looked at the user object using ADFIND (my favorite tool..thanks Joe!) and sure
enough it shows that the user is indeed still a member of the list, but using
ADUC it doesn’t show that (as you suggested). The whole reason this is
coming up is that people are sending mail to this list and Exchange is
generating a DSN because of this problem. I was able to manually remove
the user from the list using ADUC (from the group and it did indeed replicate to
the user in the other domain, verified with ADFIND).
So now that I’ve fixed this
instance of the problem I’m wondering what is causing it. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe If a
user is removed from a group, the member attribute should be updated
immediately. That is the actual change occurring. The only
time I would expect a disjoint is if a user in domain1 is deleted, renamed, or
moved and the phantom wasn't updated properly in domain2 in which the user
is one or more groups. At that point domain2 DCs (that aren't GCs)
could get a little confused as to the membership of the groups. Also if
a user is in domain1 and the group is in domain2, the user's memberof attribute
would not reflect the membership of the group UNLESS one of the following is
true 1. The
group is universal scope and you are querying a GC. 2. The
group is any type scope and you are querying a GC that happens to be a DC for
domain2. I am not
in any way shape or form talking about the GUI. The GUI interprets things and
the interpretation can vary based on the version of the tool, I am talking about
actual real values you are seeing when looking at the directory raw.
I would
look at the member attribute on the group in question with adfind or some other
LDAP tool which doesn't try to interpret the info for you (LDP, ADSIEDIT, etc).
Whatever you see is the actual current membership (for that DC). If you see
something that shouldn't be there, use ADMOD (or LDP/ADSIEDIT) to remove the
member. The group should update immediately on that DC. If it doesn't, what is
the error message (you can use -exterr with ADMOD to get additional error info).
joe -- O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Presley, Steven I have seen this a few times now (Windows 2003 Sp1) where
someone will remove a user from a distribution group and it will update the
memberOf attribute of the user, but not the member attribute of the group.
The user object is in a different domain then the group if that matters.
It does not appear to be replication related as things are replicating just fine
in my testing. Has anyone seen this before or have any suggestions on what
it might be? When looking at the group’s membership list in ADUC, the icon
of the unlinked user object that is listed on the members tab is actually kind
of grayed out, but I’m sure I could just manually delete it, but I’d like to
find out what is causing this and fix it. Any suggestions would be
awesome. Best regards, Steven |
- RE: [ActiveDir] memberOf and member link breaking Presley, Steven
- RE: [ActiveDir] memberOf and member link breaking joe
- RE: [ActiveDir] memberOf and member link breaking Dmitri Gavrilov
