从Active Directory中检索组成员/成员时，成员ATTRIB不工作 [英] retrieving group members/membership from active directory when members attrib doesn't work

问题描述

我想从域用户，所有组成员。当使用AD用户MMC卡，我得到了不少成果。当使用ADSI - 不是。以下不按预期工作：

I am trying to get all group members from "Domain Users". When using AD Users MMC tab, I get a lot of results. When using ADSI - not. The following DOESN'T work as expected:

• 在看着成员通过LDAP / ADSI组条目的属性。它返回只有56个成员时，有相当多的。
• 将的memberOf搜索（返回短短数项）
• 将primaryGroup搜索（它不是一个主要组）
• 将tokenGrops搜索（这是一个构造的属性）

任何想法AP preciated。

any ideas appreciated.

推荐答案

（我刚才读更仔细一看，你mentioend它不是主组...但我怀疑这就是答案呢:) ）的

还有另一种机制，通过它，用户可以是一个组的成员，并且它是由该组中的用户的primaryGroupID属性控制

There is another mechanism by which a user can be a member of a group, and it's controlled by the primaryGroupID attribute of the user in the group.

如果一个用户的primaryGroupID设置为某个RID一组时，用户在功能组中，尽管它们不该组的成员属性在出现。像ADUC工具有足够的智慧来寻找这一点。当你踩在堆栈低一点，撞上了LDAP的目录，它是由你足够聪明去打猎吧。

If the primaryGroupID of a user is set to some RID of a group, the user is functionally in the group, even though they don't show up in the member attribute of the group. Tools like ADUC are wise enough to look for this. When you step a bit lower in the stack and hit the directory over LDAP, it is up to you to be smart enough to go hunting for it.

您可以做搜索这个或使用目录中的构造属性，这些属性借此到帐户。

You can either do searches for this or use constructed attributes in the directory that take this in to account.

这篇关于从Active Directory中检索组成员/成员时，成员ATTRIB不工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！