users have gray hair in Domain Users group

[Guest]

We have 1 forest with three domains: two tree domains and one child domain. The members of domain users group in both of the tree domains have gray haired icons and the child domain has the normal black haired icon. I found kb281923 that talks about these symptoms when the membership is over 500 members.

However, when I use the below script to enumerate the membership of the domain users group in each of the domains, no user accounts are returned. To verify there were no issues in my script, I tried enumerating a different global group and the scripted worked like a champ. Does anybody know of any reasons why I cannot enumerate the Domain Local group?

If I look at the group with the Domain Users and Computers mmc, the group is populated as you would expect (just the users hair is gray instead of black). Thanks in advance for any help! When I echo out the adspath, the ldap path is correct.

Option Explicit
Dim oGroup, groupmember
Set oGroup = GetObject("LDAP://cn=domain users,cn=Users,dc=MyDomain,dc=root")
wscript.echo ogroup.adspath
For Each groupmember In ogroup.members
wscript.echo groupmember.cn
Next

 

[Cary Shultz [A.D. MVP]]

Chris,

Simon posted this same question back on the 5th of February. I do not
believe that anyone has responded with an answer yet! To my knowledge you
have found the only MSKB article that makes any mention of 'gray' or 'grey'
haired members.

I will do some more research on this.

HTH,

Cary

We have 1 forest with three domains: two tree domains and one child

domain. The members of domain users group in both of the tree domains have
gray haired icons and the child domain has the normal black haired icon. I
found kb281923 that talks about these symptoms when the membership is over
500 members.

However, when I use the below script to enumerate the membership of the

domain users group in each of the domains, no user accounts are returned. To
verify there were no issues in my script, I tried enumerating a different
global group and the scripted worked like a champ. Does anybody know of
any reasons why I cannot enumerate the Domain Local group?

If I look at the group with the Domain Users and Computers mmc, the group

is populated as you would expect (just the users hair is gray instead of
black). Thanks in advance for any help! When I echo out the adspath, the
ldap path is correct.

 

[Cary Shultz [A.D. MVP]]

Chris,

Looks like I got lucky and found this article. Here is the link:

http://www.mcpmag.com/columns/article.asp?EditorialsID=403

Does this apply to you?

Cary

We have 1 forest with three domains: two tree domains and one child

domain. The members of domain users group in both of the tree domains have
gray haired icons and the child domain has the normal black haired icon. I
found kb281923 that talks about these symptoms when the membership is over
500 members.

However, when I use the below script to enumerate the membership of the

domain users group in each of the domains, no user accounts are returned. To
verify there were no issues in my script, I tried enumerating a different
global group and the scripted worked like a champ. Does anybody know of
any reasons why I cannot enumerate the Domain Local group?

If I look at the group with the Domain Users and Computers mmc, the group

is populated as you would expect (just the users hair is gray instead of
black). Thanks in advance for any help! When I echo out the adspath, the
ldap path is correct.

 

[Guest]

I found that article as well and verified that my infrastructure master and global catalog server were different servers (we have at least two domain controllers in each of our domains). After waiting patiently, I still had the same results. The only thing that I haven't performed yet is a reboot of the infrastructer master domain controller.

 

[Guest]

One thing I did try.... I used the global.exe resource kit utility and it displayed all the users of the domain users group. I guess I'm still confused on why this doesn't work via vbscript because my end goal is to identify any domain users who have not logged into the domain in 4 weeks.