10-17-2012 12:59 PM
It seems no matter what group I add an account to the ldap memberOf finds it except for the Domain Users group. Is there a specific exclusion of this group somewhere? It doesn't appear to be an issue with the space in the name because if I test with other default groups like Domain Admins it works. I am getting the same result from both the ldap attribute map as well as trying to use the Domain Users group in a DAP policy. A debug ldap 255 returns every other group membership for an account except for Domain Users.
When I issue the command 'sh ad-group LDAP filter "Domain " ' the Domain Users group is in the results list, so it is able to see it and it exists.
Solved! Go to Solution.
10-18-2012 06:37 AM
Please see the attached link under primaryGroupID, which states that the Domain Users group is not part of the memberOf attribute. http://msdn.microsoft.com/en-us/library/ms677943.aspx That explains why the mapping fails for any Domain Users as seen in the debugs
10-18-2012 06:37 AM
Please see the attached link under primaryGroupID, which states that the Domain Users group is not part of the memberOf attribute. http://msdn.microsoft.com/en-us/library/ms677943.aspx That explains why the mapping fails for any Domain Users as seen in the debugs
10-18-2012 06:49 AM
Thanks for the info. Based on your input I have created 2 different DAPs, one using the primaryGoupID of 513 to capture the standard account Domain Users and one that uses memberOf = Domain Users for any accounts that might have had there primaryGroupID changed. It seems to be working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide