retrieving group members/membership from active directory when members attrib doesn't work

Question

I am trying to get all group members from "Domain Users". When using AD Users MMC tab, I get a lot of results. When using ADSI - not. The following DOESN'T work as expected:

• looking at members attribute of the group entry via LDAP/ADSI. It returns only 56 members when there are considerably more.
• searching by memberOf (returns just a few entries)
• searching by primaryGroup (it is not a primary group)
• searching by tokenGrops (it is a constructed attribute)

any ideas appreciated.

Answer 1

(I just read more carefully and saw that you mentioend it's not primary group...but I'm suspicious this is the answer anyway :))

There is another mechanism by which a user can be a member of a group, and it's controlled by the primaryGroupID attribute of the user in the group.

If the primaryGroupID of a user is set to some RID of a group, the user is functionally in the group, even though they don't show up in the member attribute of the group. Tools like ADUC are wise enough to look for this. When you step a bit lower in the stack and hit the directory over LDAP, it is up to you to be smart enough to go hunting for it.

You can either do searches for this or use constructed attributes in the directory that take this in to account.