0

On my AD domain some users do not have "memberOf" attribute set, so these accounts do not appear in search results when I perform an LDAP query like this:

memberOf=CN=Group_A,OU=G-Security,OU=CB-Groups,OU=company,DC=lan,DC=name,DC=it

Performing that search gives me a partial list of Group_A members, only the ones with "memberOf" attribute populated. But if I browse Group_A with AD Users and Computers I can correctly see all members, and if I perform and LDAP search on Group_A I correctly receive all members in "members" attribute.

Reading the docs I found that "memberOf" is a calculated attribute, so I cannot edit it, but is there a way to re-calculate it? Or is there something wrong in the accounts that do not have "memberOf" attribute?

I am trying to have that LDAP query search working because it is used by an external application to retrieve the list of users enabled to use it.

J.B.
  • 305
  • 7
  • 22
  • Are all of your domain controllers GCs? And which DC is the infrastructure master? – Greg Askew Oct 08 '21 at 12:15
  • Unfortunately I do not administer directly the AD environment, but I will ask to my AD administrator. Should I try to query the infrastructure master server? – J.B. Oct 08 '21 at 12:25
  • 1
    The `memberOf` attribute does not exist for the primary group of the user. – Gerald Schneider Oct 08 '21 at 12:34
  • Generally an LDAP-aware product will have a way to supply a group DN directly rather than calculating its membership via a per-user "memberof" property. I'd check the vendor documentation. – LeeM Oct 13 '21 at 00:46

0 Answers0