1 min read

Missing Group Memberships in AD??

I ran into something really interesting today that took some time to figure out.. Thought I should post in case anyone else is puzzled by the same scenario (and so that I can remember later).

I was running queries for group memberships and found inconsistencies between what I was seeing in ADUC and what my queries were pulling back. In ADUC, I could see user accounts in a group that did not show up in the query results or when I looked in ADSIEDIT.

I checked permissions, looked at the different attributes of the accounts, compared ldp outputs. I finally noticed that the primary group memberships were changed to the groups that I was querying and not ‘domain users’ which is the default. With the primary group designation, the account is not listed in the member attribute for the group nor is the group listed in the memberof attribute for the account.

There really aren’t any compelling reasons to update an account primary group designation, unless you want the account to have more restrictive rights than a regular domain user, like guest users. Otherwise, it is a bit confusing and requires applications to look at more than just the memberof or member attributes on users and groups to determine access.

Everything to Know About Cloud VDI and Azure Virtual Desktop

By now, most of us have experienced some form of remote work, whether it was during the height of the pandemic or now in the midst of the hybrid work...

What's New in SQL Server 2022 – Licensing Updates

SQL Server 2022 is now generally available and with it come some licensing changes you need to be aware of. Microsoft also announced that SQL Server...

Azure Modernization Assessment: Building a Robust Cloud-Ecosystem Starts Here

The pandemic may have accelerated the cloud journey trend, but cloud momentum isn’t slowing down anytime soon. Cloud adoption increased 25% in the...