| Author | Messages | |
noaheiger@xxxx.yyy
 | | 08/23/2005 10:44 AM |
| Hi
-
I must be missing
something very basic. Why is it that when I run one of the following queries, I
only get seven of the 11 objects that show up in the Domain Admins when
using the dsa.msc?
adfind -b
dc=company,dc=com -f "objectclass=group" memberdsquery group -name "Domain
Admins" | dsget group -members
Thanks,
--
nme | | | |
| listmail
Posts:454
| | 08/23/2005 10:57 AM |
| It would appear that 4 of your DAs have domain admins as
their primary group. Primary group membership is maintained differently due to
the issues with large linked value attributes in Windows 2000. Instead of the
membership being recorded with the group, the group's RID is stuffed in the
primaryGroupID attribute of the user itself.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Noah
EigerSent: Tuesday, August 23, 2005 6:43 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] adfind / dsquery
Group Membership incomplete
Hi
-
I must be missing
something very basic. Why is it that when I run one of the following queries, I
only get seven of the 11 objects that show up in the Domain Admins when
using the dsa.msc?
adfind -b
dc=company,dc=com -f "objectclass=group" memberdsquery group -name "Domain
Admins" | dsget group -members
Thanks,
--
nme | | | |
| noaheiger@xxxx.yyy
| | 08/23/2005 11:10 AM |
| Thanks. That explains it. (With some poking around, I
discovered the correlation but not the reason.) How would I construct a query to
capture both the Group and Primary Group membership? Is there a way (besides
clicking) to simply set the Primary for all users back to Domain Users? Is this
corrected in 2003?
-- nme
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Tuesday, August 23, 2005 3:53 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] adfind /
dsquery Group Membership incomplete
It would appear that 4 of your DAs have domain admins as
their primary group. Primary group membership is maintained differently due to
the issues with large linked value attributes in Windows 2000. Instead of the
membership being recorded with the group, the group's RID is stuffed in the
primaryGroupID attribute of the user itself.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Noah
EigerSent: Tuesday, August 23, 2005 6:43 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] adfind / dsquery
Group Membership incomplete
Hi
-
I must be missing
something very basic. Why is it that when I run one of the following queries,
I only get seven of the 11 objects that show up in the Domain Admins when
using the dsa.msc?
adfind -b
dc=company,dc=com -f "objectclass=group" memberdsquery group -name "Domain
Admins" | dsget group -members
Thanks,
--
nme | | | |
| listmail
Posts:454
| | 08/23/2005 11:37 AM |
| Unfortunately no this isn't corrected in 2003 but I have
made a request for it to be changed. I expect it won't be changed because it
would impact anyone who figured out how to get the membership properly before.
Basically something dumb that has to go on staying dumb because of legacy
reasons.
You could set up a query to be like
adfind -b dc=domain,dc=com -f
"|(&(objectcategory=group)(name=domain admins))(primarygroupid=512)"
member
Unfortunately your answer is going to be in multiple spots.
For any primary group folks, the user object will be returned in the DN. For the
folks who aren't using domain admins as primary they will be returned in the
member attribute of the returned group object.
You need to set up some process to add the users with the
primary membership set to DAs to the Domain Users group. Then you will change
the primarygroupid for them to 513. This is probably a good thing to do via
script.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Noah
EigerSent: Tuesday, August 23, 2005 7:08 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] adfind / dsquery
Group Membership incomplete
Thanks. That explains it. (With some poking around, I
discovered the correlation but not the reason.) How would I construct a query to
capture both the Group and Primary Group membership? Is there a way (besides
clicking) to simply set the Primary for all users back to Domain Users? Is this
corrected in 2003?
-- nme
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Tuesday, August 23, 2005 3:53 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] adfind /
dsquery Group Membership incomplete
It would appear that 4 of your DAs have domain admins as
their primary group. Primary group membership is maintained differently due to
the issues with large linked value attributes in Windows 2000. Instead of the
membership being recorded with the group, the group's RID is stuffed in the
primaryGroupID attribute of the user itself.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Noah
EigerSent: Tuesday, August 23, 2005 6:43 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] adfind / dsquery
Group Membership incomplete
Hi
-
I must be missing
something very basic. Why is it that when I run one of the following queries,
I only get seven of the 11 objects that show up in the Domain Admins when
using the dsa.msc?
adfind -b
dc=company,dc=com -f "objectclass=group" memberdsquery group -name "Domain
Admins" | dsget group -members
Thanks,
--
nme | | | |
| listmail
Posts:454
| | 08/24/2005 1:05 AM |
| RESEND:
Unfortunately no this isn't corrected in 2003 but I have
made a request for it to be changed. I expect it won't be changed because it
would impact anyone who figured out how to get the membership properly before.
Basically something dumb that has to go on staying dumb because of legacy
reasons.
You could set up a query to be like
adfind -b dc=domain,dc=com -f
"|(&(objectcategory=group)(name=domain admins))(primarygroupid=512)"
member
Unfortunately your answer is going to be in multiple spots.
For any primary group folks, the user object will be returned in the DN. For the
folks who aren't using domain admins as primary they will be returned in the
member attribute of the returned group object.
You need to set up some process to add the users with the
primary membership set to DAs to the Domain Users group. Then you will change
the primarygroupid for them to 513. This is probably a good thing to do via
script.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Noah
EigerSent: Tuesday, August 23, 2005 7:08 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] adfind / dsquery
Group Membership incomplete
Thanks. That explains it. (With some poking around, I
discovered the correlation but not the reason.) How would I construct a query to
capture both the Group and Primary Group membership? Is there a way (besides
clicking) to simply set the Primary for all users back to Domain Users? Is this
corrected in 2003?
-- nme
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Tuesday, August 23, 2005 3:53 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] adfind /
dsquery Group Membership incomplete
It would appear that 4 of your DAs have domain admins as
their primary group. Primary group membership is maintained differently due to
the issues with large linked value attributes in Windows 2000. Instead of the
membership being recorded with the group, the group's RID is stuffed in the
primaryGroupID attribute of the user itself.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Noah
EigerSent: Tuesday, August 23, 2005 6:43 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] adfind / dsquery
Group Membership incomplete
Hi
-
I must be missing
something very basic. Why is it that when I run one of the following queries,
I only get seven of the 11 objects that show up in the Domain Admins when
using the dsa.msc?
adfind -b
dc=company,dc=com -f "objectclass=group" memberdsquery group -name "Domain
Admins" | dsget group -members
Thanks,
--
nme | | | |
|
|