Global Catalog and memberOf (again!)

[Guest]

Hello

I have previously asked about Global Catalog and the attribute memberOf. I now have a follow-up question that better describes my problem

I have the following domain structure

company.co
se.company.co
dk.company.co
us.company.co
(a total of 30 subdomains

I have defined a total of 3 Universal Groups, containing members from more than one sub domain. Now I would like to query the Global Catalog across all domains for a specific user and get a list of these 3 groups (no other groups are of interest) in the attribute memberOf

I can only modify the connection string, not the application used. For testing, I use LDAP Browser from Softerra. I have chosen the main domain controller with a Global Catalog on it. The connection string is "dc01.company.com:3268"

And here is my question: Why is it, that I can see the group membership using memberOf for some users and not for others? It's less than 2% of the users that has the attribute memberOf (but when it's there, my 3 groups are there!). What about the other 98%? Why isn't memberOf visible for them

If I try a subdomain instead (and another Global Catalog), memberOf is correct, but I can only see users from that subdomain

Is it possible to configure Active Directory so that memberOf is visible for my 3 groups at the "company.com" level for ALL users

I am on Windows 2000 but will start a migration to Windows 2003 soon. Will 2003 solve this issue

Regards
Mikael

 

[Chriss3]

Hello Miakel,
If you are working with universal groups, you should not put users directly
as members instead add the users into a global group and then the global
group as a member of the universal group.

Some things that may help to know is the Active Directory dose not work
against the MemberOf attribute, changes are made to the Members attribute of
the group and are then linked to the MemberOf attribute. Members is the
forward link.

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

Hello!

I have previously asked about Global Catalog and the attribute memberOf. I

now have a follow-up question that better describes my problem.

I have the following domain structure:

company.com
se.company.com
dk.company.com
us.company.com
(a total of 30 subdomains)

I have defined a total of 3 Universal Groups, containing members from more

than one sub domain. Now I would like to query the Global Catalog across all
domains for a specific user and get a list of these 3 groups (no other
groups are of interest) in the attribute memberOf.

I can only modify the connection string, not the application used. For

testing, I use LDAP Browser from Softerra. I have chosen the main domain
controller with a Global Catalog on it. The connection string is
"dc01.company.com:3268".

And here is my question: Why is it, that I can see the group membership

using memberOf for some users and not for others? It's less than 2% of the
users that has the attribute memberOf (but when it's there, my 3 groups are
there!). What about the other 98%? Why isn't memberOf visible for them?

If I try a subdomain instead (and another Global Catalog), memberOf is

correct, but I can only see users from that subdomain.

Is it possible to configure Active Directory so that memberOf is visible

for my 3 groups at the "company.com" level for ALL users?

 

[Jimmy Andersson [MVP]]

More info about Linked Attributes:

http://groups.google.com/[email protected]&rnum=5

Regards,

/Jimmy

 

[Joe Richards [MVP]]

Actually you have to be careful with this as there are some apps that won't work
this way. Exchange DLs for instance would most certainly break in a multidomain
environment if you handled the Uni DLs this way.

 

[Joe Richards [MVP]]

This is exactly the way it works and no you can not change it.

Universal group memberships are kept on all GCs. GG and DLG memberships are not.

So when a UG of us.company.com has a user in it, any GC in the forest you query
will show the memberof of that user with the UG.

When you have a GG/DLG of us.company.com and it has the same user in it, that
will only show up on queries to DCs of us.company.com (whether they are GCs or not).

As mentioned previously, the memberof attribute is a back link to the member
attribute of the group. The member attribute is currently set to allow
use/transfer of its information to the PAS (partial attribute set or GC
partition). However this is hard coded within the OS to ONLY DO THIS WITH UG
Membership.

So, in summary, if a user is in a UG in any domain, any GC you query that user
on in the forest, will be aware of that membership. But for GG's and DLG's you
need to query a DC of the appropriate domain that the group exists in, you can
query either the LDAP or GC port for that info on those DCs.