This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 70%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Hi,
We have a Microsoft 2019 AD Server that gives inconsistent results when queried for all groups that a specific user is member of.
The query is as follows:
(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=user1,CN=Users,DC=our_domain,DC=our_domain_suffix))
Now I am aware that primary groups should not be part of the result, but the behavior we get is that when the user is a member of "Domain Users" (the primary group) and some more groups, the result of the query is ALL those groups AND the Domain Users group (unexpected), but when the only group of the user is Domain Users the result is empty (as expected).
Can somebody explain this please?
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello @EA ,
Thank you for posting here.
Please tell us the steps how you query using the following command ?
(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=user1,CN=Users,DC=our_domain,DC=our_domain_suffix))
Then I will set up a similar scenario to test it so that I will understand and help you better.
Thank you for your time and understand.
Best Regards,
Daisy Zhou
Hi Daisy,
I am using the python3 library ldap3.
The steps are basically creating a connection with
conn=ldap3.Connection(...)
and then querying by
conn.search('DC=x,DC=y,DC=z', search_scope=ldap3.SUBTREE, attributes=['cn'], search_filter='(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=user1,CN=Users,DC=our_domain,DC=our_domain_suffix))')
and the result is as described in the question.
I've also checked the AD log. It showed my queries correctly, and next to each, the numbers of results returned (depending of the current group membership...).
Thanks!
Hello @EA ,
Thank you for your update.
I am sorry, it seems python3 library ldap3 is not a Microsoft tool. We are not familiar with this tool.
Would you please tell us except that the result of the query on the tool we mentioned is not our expected behavior, are there any actual problems? Or if we use commands (such as net user username)to check whether the group members are normal?
Best Regards,
Daisy Zhou
Hi Daisy,
Well "net user username" does not seem to work the same way that the query should because it does always return the primary group.
As I said, I enabled the AD log in the DC itself and clearly see the same query logged incoming every time, and also in that log with every query I see the result of the AD. Nothing to do with the query method, everything within the AD itself. If the user belongs to Domain Users and another group, the log says "returned 2 objects" and when the user belongs just to the Domain Users group it says "returned 0 objects".
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Like you said, primary groups are not displayed for a user as it is a constructed group membership. Usually you can retrieve the same by modifying the search filter to include the well known identifier 513 for domain users group. However your issue will require extensive investigation and would request you to open a support ticket at https://support.microsoft.com/en-in/supportforbusiness/ for detailed analysis.
Hello @EA ,
Thank you for your update. And I am sorry for the late reply.
I did a test in my lab. And I can reproduce the problem as you mentioned.
1.I have three users (u5,u6 and u7).
Primary group: Domain Users.
Primary group: Domain Users.
3.Here is ldap search result for three users one by one.
Primary group: Domain Users (there is no primary group of the result) (Expected).
Primary group: Domain Users (there is no primary group of the result) (Expected).
Primary group: Domain Users (there is no primary group of the result), but there is Domain Users of the search result, because in such case, non-primary group (group00) belongs to primary group (Domain Users) (Unexpected).
In summary, if there is non-primary group belongs to primary group, the result will appear primary group. I suggest we can check if you have the same situation.
Hope the information above is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou
Hello @EA ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
Thank you very much for answering, it will take me some time to check this but as far as I remember none of the custom groups is a member of Domain Users or any other group, and the Domain Users is not a member of any of them as well. I will update as soon as I can.
Hello @EA ,
Thank you for your reply.
I look forward to hearing from you soon.
Thank you for your time and efforts.
Best Regards,
Daisy Zhou
