Account Group Membership Visible in Active Directory Users and Computers but not Found in LDAP Query "dln" <dnadon_nospm[ at ]hotmail.com> 12/30/2008 5:52:12 PM Hello all, I've just run across a problem I've never seen before and was hoping someone could help me with it. We have an in-house (.NET) application that uses LDAP to query Active Directory (Server 2003 R2 native mode) and check if a user is a member of a specific group. With certain accounts (mine included), this check fails. For other accounts, this same check succeeds. I have replicated the call the .NET application uses via LDP and the following query yields no results from within LDP, either: (&(objectClass=group)(CN=Corporate)(member=<my user account's distinguishedName goes here>)) I started digging a bit further into it and via Active Directory Users and Computers, I can see my account as a member of the group in question. However, if I look at the "member" attribute of the group via adsiedit.msc, my account's distingishedName is nowhere to be found. For that matter, my account doesn't appear in any of the group's LDAP attributes. If I attempt to add my user account's distingishedName directly to the member attribute of the group through adsiedit, adsiedit fails stating that the user is already a member of the group (yes I know, modifying data via adsiedit is not recommended but I'm grasping at straws at this point). My account is in there somewhere, it's just not being reported back via the LDAP properties. How is it that I can be a member of this group, yet not see a reference to my account anywhere within the group's LDAP properties? Is there a different attribute I should be looking at? Thanks.

Re: Account Group Membership Visible in Active Directory Users and Computers but not Found in LDAP Query "dln" <dnadon_nospm[ at ]hotmail.com> 12/30/2008 6:43:56 PM So to resolve this, I removed my account from the group via AD Users and Computers and then added my account's distinguishedName via adsiedit. It fixed it, but I'm still curious as to how the group arrived in the state it was in to begin with. Cheers. "dln" <dnadon_nospm[ at ]hotmail.com> wrote in message news:5E662752-A713-4139-B353-6DFF77096A31[ at ]microsoft.com... [Quoted Text] > Hello all, > > I've just run across a problem I've never seen before and was hoping > someone could help me with it. We have an in-house (.NET) application > that uses LDAP to query Active Directory (Server 2003 R2 native mode) and > check if a user is a member of a specific group. With certain accounts > (mine included), this check fails. For other accounts, this same check > succeeds. I have replicated the call the .NET application uses via LDP and > the following query yields no results from within LDP, either: > > (&(objectClass=group)(CN=Corporate)(member=<my user account's > distinguishedName goes here>)) > > I started digging a bit further into it and via Active Directory Users and > Computers, I can see my account as a member of the group in question. > However, if I look at the "member" attribute of the group via > adsiedit.msc, my account's distingishedName is nowhere to be found. For > that matter, my account doesn't appear in any of the group's LDAP > attributes. If I attempt to add my user account's distingishedName > directly to the member attribute of the group through adsiedit, adsiedit > fails stating that the user is already a member of the group (yes I know, > modifying data via adsiedit is not recommended but I'm grasping at straws > at this point). My account is in there somewhere, it's just not being > reported back via the LDAP properties. > > How is it that I can be a member of this group, yet not see a reference to > my account anywhere within the group's LDAP properties? Is there a > different attribute I should be looking at? > > Thanks.