Question on reconciling members and memberof attributes

  • Thread starter Thread starter Dan Sheehan
  • Start date Start date
D

Dan Sheehan

Greetings,
I have a customer who has had AD replication problems in the past, and
as such it appears some of the group memberships have become
inconsistent. Sepcifically for example, users are showing as members of
the Domain Admin group, but their memberof attribute on their AD
account is not reflecting this. Both the group and user objects are in
the same domain.
I am having them double check to make sure the accounts don't have
Domain Admins set as the primary group (I don't think they would have
done this). I know MSFT does not recommend relying on the memberof
attribute as illustrated here:
http://support.microsoft.com/kb/304516/EN-US/

But...the customer is trying to clean up security, so I want to help
them try to get this accomplished (I like rewarding good behavior and
cleaning up security is definately good behavior). So is there any tool
out there to force a DC to go through all of its groups and properly
reconcile the memberof attribute on the user accounts?
I know the Infrastructure Master server will do this cross domain - but
this is an intra-domain issue, plus I also don't know how to tell the
Infrastructure Master service to "run now". :)

Thanks!
 
Ok - so I guess I made a bad assumption. Someone had in fact switched
the primary group on the user accounts for some reason. They are
switching them back.

As a follow up to this - I noticed that Universal Distribution Group
memberships were not back linking properly accross domains in this
environment. I suspect it was because both domains had the
Infrastructure Master role on a GC. I had the customer switch them to
regulard DCs, but the group membership never got cleaned up.

Does anyone know of a way to get the Infrastructure Master to
re-evaluate existing group memberships? Like an Exchange RUS Rebuild so
to speak?

Thanks!
Dan Sheehan
MCSE 2003 + Messaging
 
Dan Sheehan said:
Ok - so I guess I made a bad assumption. Someone had in fact switched
the primary group on the user accounts for some reason. They are
switching them back.

As a follow up to this - I noticed that Universal Distribution Group
memberships were not back linking properly accross domains in this
environment. I suspect it was because both domains had the
Infrastructure Master role on a GC. I had the customer switch them to
regulard DCs, but the group membership never got cleaned up.
Click to expand...

That should only affect the "appearance" in Universal groups
of renamed members but it MIGHT have some weird effect
I don't know of.

On the other had if you have a reasonably small forest then all
DCs can safely be GC (eliminating the issue of IFS master too.)

It's only when NOT all DCs are GCs that the two must be kept
separate.

Does anyone know of a way to get the Infrastructure Master to
re-evaluate existing group memberships? Like an Exchange RUS Rebuild so
to speak?
Click to expand...

IFS Master doesn't really evaluate Membership per se, but merely
that any renamed object NAMES match the SIDS which are members.

More likely your GCs are not replicating.

(The GCs setup a similar replication topology -- which none of the
books seem to ever discuss -- to get "GC stuff" around the various
domains.)

Perhaps you just have some problem with the GCs themselves.
 
Ok let me start of with this...

The member and memberof attribute are both fed from the same table. They
don't get out of sync with each other because, they are the same table.

That being said, depending on the DC you query, the info you retrieve
can change based on scoping rules and backend implementation.

For instance, a user who is in Domain1 but in a domain local group in
Domain2 will not have that DLG listed on their memberof attribute if you
query the user on a Domain1 DC or Domain1 Dc that is also a GC. However,
if you query a GC that is also a Domain2 DC, you will see the Domain2
DLG listed in the user's memberof attribute. If you look at the member
attribute on any DC2 domain controller (GC or not) you will see the user
is a member of the DLG. If you look at the GC of a Domain1, you will not
see that the user is a member of the group, in fact you won't see any
membership for the group.

Now for universal groups, assume the DLG above is now a UG... If you
look at the Domain1 user's memberof attribute on a Domain1 DC that isn't
a GC, you will not see the membership. If you look at a Domain1 DC that
is a GC you will see the membership. If you look at a Domain2 GC (or any
other Domain's GC for that matter) you will see the group listed in the
membership. You will always see the user listed in the UG's membership
whether you query a Domain2 DC or a GC that is a member of any Domain.

Does that help?



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top