mskb.pkisolutions.com Open in urlscan Pro
40.71.11.139  Public Scan

Form analysis
1 forms found in the DOM

POST /kb/search

<form method="post" id="inline-search" class="form-inline" action="/kb/search">
  <div class="input-group text-right">
    <input name="SearchText" type="text" placeholder="Search..." class="form-control">
    <span class="input-group-btn">
      <button class="btn btn-default" type="button"><i class="fa fa-search"></i></button>
    </span>
  </div>
  <input name="__RequestVerificationToken" type="hidden" value="CfDJ8DsyhSNd56pLvRHgsX_vWZBS_B3Cj1f24Fpa2pou3vh7hqqDbH16xUXCRBrYcni4kbUuqAsIzNV89p1LAFXbIMv4ttm965zYIjItYsE3AcQFVAxqyR6wbSTg13RlJs6Ch0aKa1PKoyLqW-mMGa6-tO4">
</form>

Text Content

Toggle navigation
 * Main Site
 * KB Products
 * About
 * Contact


MICROSOFT KB ARCHIVE SEARCH



Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB)
archive and is intended to provide a reliable access to deleted content from
Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full
disclaimer for more details.

 1. Home
 2. Setting Primary Group Excludes the User from the Group Membership in Active
    Directory


SETTING PRIMARY GROUP EXCLUDES THE USER FROM THE GROUP MEMBERSHIP IN ACTIVE
DIRECTORY

--------------------------------------------------------------------------------

View products that this article applies to.


SYMPTOMS

When you view Active Directory with a Lightweight Directory Access Protocol
(LDAP) utility such as Ldp.exe, the Members attribute is not populated with the
Primary group.

The memberof attribute of the user object is not populated with the group name.
This can cause problems if programs do not query Active Directory for the
PrimaryGroupID attribute, and only for the Members attribute of the group.

↑ Back to the top

--------------------------------------------------------------------------------


CAUSE

This behavior occurs because Microsoft Windows 2000 has a group membership
limitation of 5000 users. This behavior is due to a limitation in the size of
the attribute that is being replicated. The primary group allows one group per
user to hold more than 5000 users. By default, every user is a member of the
Domain Users group.

The Microsoft Windows Server 2003 Forest mode removes this group membership
limitation. However, the primary group is still used in the same way.

↑ Back to the top

--------------------------------------------------------------------------------


RESOLUTION

To resolve this behavior, create a separate attribute called PrimaryGroupID.
When you do this, all users can be a member of the Domain Users global group,
but instead of explicitly adding them to the Domain Users group membership,
assign the user a value for this group in the PrimaryGroupID value. The
PrimaryGroupID value is the RID of the group which is assigned as the user's
Primary group.
To make sure that the user has the appropriate access to resources in the
domain, you not only calculate group membership based on the memberof attribute,
you also query for the value of the PrimaryGroupID of the user accounts. When
you do this, you create the user's Token, and include the Primary group at the
log-on process for all of the groups of which the user is a member.

Programs that need to query groups to give users access that is based on group
membership should also query for the PrimaryGroupID attribute.

If more than 5000 users need to be added to a group, work around the 5000 member
limitation for groups by using nested groups under a master (parent) group.

↑ Back to the top

--------------------------------------------------------------------------------


MORE INFORMATION

The Primary Group ID (PrimaryGroupID) is an integer value that represents the
primary group ID for this user.

The following example describes how to obtain the PrimaryGroupID user attribute
by using Microsoft Visual Basic (VB) script:

   Set usr = GetObject("WinNT://TestDomain/JSmith")
   UserID = usr.Get("PrimaryGroupID")
   MsgBox "The User's Primary Group ID is:"& UserID
				

↑ Back to the top

--------------------------------------------------------------------------------


APPLIES TO:

 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows Server 2003 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003 Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003 Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003 Enterprise x64 Edition
 * Microsoft Windows Server 2003 Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003 Standard x64 Edition

↑ Back to the top

Keywords: KB275523, kbprb, kbenv

↑ Back to the top

Article Info

Article ID : 275523 Revision : 5 Created on : 10/11/2007 Published on :
10/11/2007 Exists online : False Views : 227

--------------------------------------------------------------------------------

Total articles: 75862 | Hidden articles: 0 | Visible articles: 75862 | Last
update: Jun 16, 2022

--------------------------------------------------------------------------------

© 2022 PKI Solutions Inc. All Rights Reserved | Terms of Service | Privacy
Policy