LDAP query not work for group Domain Users

Question

I run a query (memberof=CN=Domain Users,DC=MYDOMAIN, DC=MYCOM)

but it return zero result, same query if I run for other group it return results.

Answer 1

As far as I understand, when you create a user it's by default member of Domain Users. You can't see it in the memberOf attribute, but you can see it in the primaryGroupID (513=(GROUP_RID_USERS)). You can't suppress it unless you add a group and make it primaryGoup for a given user.

A command like the following can allow you to build the list of people belonging to Domain Users.

ldifde -f file.ldf -d "ou=Monou,dc=dom,dc=fr" -r "(&(objectclass=user)(|(primaryGroupID=513)(memberOf=CN=Utilisateurs du domaine,CN=Users,DC=dom,DC=fr)))"

Be Careful

1. Here french names are used ("Utilisateurs du domaine"="Domain Users")
2. on my Windows 2008 R2 I HAVE TO RUN the ldifde command as Administrator to be able to filter on memberOf attribute.

Changing the Primary group.

There is just ONE primary group. You can change the primary group. For that, you add the user to another group and make it primary. Then Primary group will be change to the RID of the other group

Here under the primary Group is MonGroupe.

You can see the RID when it's selected as primary group.

Answer 2

Yes, that's a known issue. The Domain Users is typically the so-called default group for new users. That group name for whatever reasons isn't added to the regular list of groups a user is a member of - it's always a messy special case that needs to be handled separately.

See Technet AD Default Groups for more information.

I don't think there's any easy way to make this work, unfortunately....