Re: Question on reconciling members and memberof attributes

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Ok - so I guess I made a bad assumption. Someone had in fact switched
the primary group on the user accounts for some reason. They are
switching them back.

As a follow up to this - I noticed that Universal Distribution Group
memberships were not back linking properly accross domains in this
environment. I suspect it was because both domains had the
Infrastructure Master role on a GC. I had the customer switch them to
regulard DCs, but the group membership never got cleaned up.

Does anyone know of a way to get the Infrastructure Master to
re-evaluate existing group memberships? Like an Exchange RUS Rebuild so
to speak?

Thanks!
Dan Sheehan
MCSE 2003 + Messaging

Dan Sheehan wrote:
Greetings,
I have a customer who has had AD replication problems in the past, and
as such it appears some of the group memberships have become
inconsistent. Sepcifically for example, users are showing as members of
the Domain Admin group, but their memberof attribute on their AD
account is not reflecting this. Both the group and user objects are in
the same domain.
I am having them double check to make sure the accounts don't have
Domain Admins set as the primary group (I don't think they would have
done this). I know MSFT does not recommend relying on the memberof
attribute as illustrated here:
http://support.microsoft.com/kb/304516/EN-US/

But...the customer is trying to clean up security, so I want to help
them try to get this accomplished (I like rewarding good behavior and
cleaning up security is definately good behavior). So is there any tool
out there to force a DC to go through all of its groups and properly
reconcile the memberof attribute on the user accounts?
I know the Infrastructure Master server will do this cross domain - but
this is an intra-domain issue, plus I also don't know how to tell the
Infrastructure Master service to "run now". :)

Thanks!

.

Relevant Pages

  • Re: Question on reconciling members and memberof attributes
    ... the primary group on the user accounts for some reason. ... memberships were not back linking properly accross domains in this ... Infrastructure Master role on a GC. ... More likely your GCs are not replicating. ...
    (microsoft.public.win2000.active_directory)
  • Using ADMT 3.0
    ... I need to migrate 100 user accounts between two different Windows 2003 ... The source domain is managed by an outsourcer and we have only some ... install the ADMT 3.0 on one domain controller of the destination domain; ... I migrate the user accounts without the user memberships. ...
    (microsoft.public.windows.server.migration)