Search code examples
active-directoryactive-directory-group

Active Directory group lists a member user, user's entry does not mention the group

I have group G and user U. The entry for G includes U as a "member" record. The entry for U does not include G as a "memberOf" record. (I am querying the entries programmatically, in C#, and viewing them in Softerra LDAP Browser). Can anybody explain this paradox?

Solution

  • The memberOf attribute is not authoritative. Whether a group is listed there depends on the "Scope" of the group. It will only include:

    1. Universal groups in the same AD forest
    2. Global groups from the same domain as the user
    3. Domain Local groups on the same domain as the server you are reading from (which may or may not be the same domain as the user)

    I describe this in a little more detail in an article I wrote, under the heading "Beware of memberOf".

    If you need to find groups that memberOf doesn't list, I also wrote an article called Finding all of a user's groups with code samples.