Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Missing "memberof" ldap attribute

1,425 views
Skip to first unread message

Chris

unread,
Nov 20, 2009, 4:36:02 PM11/20/09
to
We have users that are missing the "memberof" ldap attribute when they belong
to domain security groups. If you look in the ADUC, it shows the user is a
member of multiple groups. When you look at the users LDAP attributes (using
3rd party tool Softera LDAP browser), the "memberof" attribute is missing
alltogether. Any ideas what might be happening? I don't see any errors in the
event logs.

I have domain admin permissions and that has no effect on whether it shows
or not. I have also created new ID's and it also has the same issue.

thanks,
Chris

Richard Mueller [MVP]

unread,
Nov 20, 2009, 6:06:43 PM11/20/09
to

"Chris" <Ch...@discussions.microsoft.com> wrote in message
news:91AC26F0-BC91-439F...@microsoft.com...

I'm not familiar with the Softera browser. What do you see when you use Joe
Richards' free adfind utility. For example, for user with "pre-Windows 2000
logon" name jsmith:

adfind -default -f "(sAMAccountName=jsmith)" memberOf

Note that the number of values in the memberOf attribute will always be one
less than the number of direct group memberships shown in ADUC, because the
"primary" group (usually "Domain Users") is never included. Also, if the
user is a member of only their "primary" group, the memberOf attribute has
no values and technically nothing is saved in AD, so perhaps it appears
there is no memberOf attribute. Ather tools you can use are ADSI Edit and
ldp.exe.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


Chris

unread,
Nov 25, 2009, 4:59:01 PM11/25/09
to
Richard,

I used the tool and it does list the memberOf groups correctly. But we have
some third party apps that aren't working correctly. I believe that when
these apps query for the LDAP attributes, it is not finding them
(specifically memberOf).

So when i used (Softera ..which is free) I see that the memberOf attribute
is missing. I also have since found out that the useraccountcontrol is also
not listed.

I found an instance in which you responded to someone else having a similar
issue.

This is how they fixed the problem:

The group Authenticated Users needs the permission Read to be set to
'Allow'. All the users objects we've been missing from our query results do
not have this permission set. When this permission is set correct they
appear in the results.


Might this be my issue and how would I verify this. I'm looking in the ADUC
with Advanced Features and this group is set. Is it something else?


"Richard Mueller [MVP]" wrote:

> .
>

0 new messages