Reputation: 674
Active directory: member and memberof properties relationship
Modifying member attribute of a group in Active Directory (let's say with asdiedit), automatically modifies memberOf property of corresponding user?
And as secondary question, setting member in the allowedAttributesEffective of a group automatically adds the memberof in the allowedAttributesEffective attribute of all users?
I have no permission yet to modify member property, so I cannot test by myself.
Upvotes: 7
Views: 28687
Answers (1)
Reputation: 11873
Yes, if you modify member attribute of a group. It will automatically update the memberOf attribute.
memberOf attribute is called computed back-link attribute or constructed attribute. It's maintained and calculated by Active Directory. You cannot modify this attribute.
Similarly, allowedAttributesEffective is a computed attribute, reflecting the actual ACLs set on the AD object. You cannot set this attribute directly but you can modify the ACLs on the AD object. This attribute will reflect the fact.
There is no relationship between group's allowedAttributesEffective attribute and user's allowedAttributesEffective. They are independent. Setting ACL on group object won't affect the ACL on user object that the group contains.
Upvotes: 11
Related Questions
- Active directory member vs memberOf
- Retrieving complete information for the memberof (AD) attribute
- Active Directory memberof property doesn't contain nested security groups
- inetOrgPerson with member or memberOf?
- Active Directory membersOf membersOf Group (nested memberOf)
- Retrieve AD sAMAccountNames from memberOf property
- Get memberOf data for a group?
- Fields in Active Directory and Active Directory LDS
- LDAP DirectorySearcher with MemberOf property
- Active Directory Properties