Group Membership and Primary Group

[Tomeczek]

I'm listing members of the "Domain Admins" group in Active Directory and realized, that the AD call objGroup.Members does not return user accounts, whose Primary Group is set to be "Domain Admins".

Is there a way to get these accounts?

 

[Tomeczek]

I found the solution, someone may be interested in the answer:

In general, LDAP search will not give you user accounts, whose "Primary Group" is equal to the group you want to list the membership. So, the users with the "Primary Group" set to "Domain Admins" will not be listed when listing "Domain Admins" members.
You have to search for all users, whose primaryGroupID attribute equals group's primaryGroupToken.
First you have to find group's primaryGroupToken - for "Domain Admins" it is 512.

The LDAP query should be:
"<LDAP://DC=Domain1,DC=Domain2,DC=com>;(&(objectClass=user)(objectCategory=person)(primaryGroupID=512));ADSpath;subtree"
After executing query, the record set will have all user accounts not listed in group membership.
You'll find user's object: Set objUser = GetObject(objRecSet.Fields("ADSpath").Value)

That's all it is...