LDAP doesn't match WINNT provider...

[Jdogga]

Hi guys,
This is a question for you Active Directory LDAP guys.
I query the LDAP group "Domain Users" for the "member" attribute and I only get ONE member, strangely is the "Guest" user account.
If I look into LDAP using ADSIedit, the member attribute only has one object.
However, when I query WINNT, or pull up the group in ADUC or Hyena, I get a LONG list of users (as it should be).
Any ideas why this isn't matching up? This makes me afraid that this is not the only group with this symptom.

Thanks!

 

[tsuji]

LDAP provider exposes a hierachical structure of nested group whereas WinNT provider exposes a flat structure. Maybe have to look it in this direction.

 

[Jdogga]

tsuji,
Thanks for the reply. I realize this... however, a similar attribute in LDAP, memberof, shows (in a hierarchical manner) several groups separated by commas. I wonder why the users don't show up in the same manner.

 

[Jdogga]

Ahh... I think we found it.
The fact that it is "Domain Users" clued us in.
Apparently, LDAP doesn't return them as being members of the group since the group is their primary group.

WINNT doesn't care I suppose.
Whew... what a relief, I was worried about the health of our directory there.
Thanks for the help!