I'm listing members of the "Domain Admins" group in Active Directory and realized, that the AD call objGroup.Members does not return user accounts, whose Primary Group is set to be "Domain Admins".
I found the solution, someone may be interested in the answer:
In general, LDAP search will not give you user accounts, whose "Primary Group" is equal to the group you want to list the membership. So, the users with the "Primary Group" set to "Domain Admins" will not be listed when listing "Domain Admins" members.
You have to search for all users, whose primaryGroupID attribute equals group's primaryGroupToken.
First you have to find group's primaryGroupToken - for "Domain Admins" it is 512.
The LDAP query should be:
"<LDAP://DC=Domain1,DC=Domain2,DC=com>;(&(objectClass=user)(objectCategory=person)(primaryGroupID=512));ADSpath;subtree"
After executing query, the record set will have all user accounts not listed in group membership.
You'll find user's object: Set objUser = GetObject(objRecSet.Fields("ADSpath").Value)
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.