Microsoft Windows Server Active Directory Discussions
 
SAMAccountName
(1)
Directory
(1)
Softera
(1)
Windows
(1)
Ather
(1)
Lab
(1)
Useraccountcontrol
(1)
Memberships
(1)

Missing "memberof" ldap attribute

Asked By Chris
20-Nov-09 04:36 PM
Reply
We have users that are missing the "memberof" ldap attribute when they belong
to domain security groups. If you look in the ADUC, it shows the user is a
member of multiple groups. When you look at the users LDAP attributes (using
3rd party tool Softera LDAP browser), the "memberof" attribute is missing
alltogether. Any ideas what might be happening? I do not see any errors in the
event logs.

I have domain admin permissions and that has no effect on whether it shows
or not. I have also created new ID's and it also has the same issue.

thanks,
Chris

I am not familiar with the Softera browser.

Richard Mueller [MVP] replied to Chris
20-Nov-09 06:06 PM
Reply
I am not familiar with the Softera browser. What do you see when you use Joe
Richards' free adfind utility. For example, for user with "pre-Windows 2000
logon" name jsmith:

adfind -default -f "(sAMAccountName=jsmith)" memberOf

Note that the number of values in the memberOf attribute will always be one
less than the number of direct group memberships shown in ADUC, because the
user is a member of only their "primary" group, the memberOf attribute has
no values and technically nothing is saved in AD, so perhaps it appears
there is no memberOf attribute. Ather tools you can use are ADSI Edit and
ldp.exe.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Richard,I used the tool and it does list the memberOf groups correctly.

Chris replied to Richard Mueller [MVP]
25-Nov-09 04:59 PM
Reply
Richard,

I used the tool and it does list the memberOf groups correctly. But we have
some third party apps that are not working correctly. I believe that when
these apps query for the LDAP attributes, it is not finding them
(specifically memberOf).

So when i used (Softera ..which is free) I see that the memberOf attribute
is missing. I also have since found out that the useraccountcontrol is also
not listed.

I found an instance in which you responded to someone else having a similar
issue.

This is how they fixed the problem:

The group Authenticated Users needs the permission Read to be set to
'Allow'. All the users objects we have been missing from our query results do
not have this permission set. When this permission is set correct they
appear in the results.


Might this be my issue and how would I verify this. I am looking in the ADUC
with Advanced Features and this group is set. Is it something else?
Previous Discussion:  ADAM Backup Event ID 2089
Post Question To EggHeadCafe