Domain Users is not necessarily a primary group. Any group can be the primary group for a user. Primary group membership is stored as an attribute of the user and is not reflected in the member collection for a group or the memberOf collection for the user. Primary groups are a Windows NT "feature" that was carried forward in to AD in order to support hybrid NT/AD domains. You must take this into account when querying AD group memberships.
-Jon C. Kidder American Electric Power Middleware Services Email: [email protected] Phone: 614-716-4970 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Harry Jede Sent: Friday, April 11, 2014 11:16 AM To: [email protected] Cc: Sankar P; Mark Pröhl Subject: Re: Getting the list of members in an AD group This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments. ********************************************************************** Sankar P wrote: > The group whose SID that I am trying to take is the default "Domain > Users" group. The ldapsearch query too fails for that but for any > other custom groups, the membership information is printed. So is > there a different style that we should follow for getting the "Domain > Users" group members ? Yes. "Domain Users" is a primary group, membership is stored in the user object. -- Harry Jede
