"Domain Users" optimisation...

Jeremy Allison jra at samba.org
Sat Oct 14 01:05:40 GMT 2006

Jerry, Guenther, Volker (and any other interested parties).

I found this quote on the "Domain Users" group in
AD :

A group in AD does not actually contain other objects in the same sense that an OU contains objects as a container.  A group in AD only references other objects in the directory through the use of the 'member' and 'memberOf' linked attributes.  This is the traditional group membership - primary groups are different, however.  If you were to pull up the group called 'Domain Users' and inspect the 'member' attribute on it, you would typically not find any membership.  Similarly, if you were to search every domain user and look at their 'memberOf' attribute, you would find no reference to the 'Domain Users' group.  This is because the primary group membership does not use the standard mechanism.  It is a legacy leftover that is held on the 'primaryGroupID' of the user.  To find all the members of a group that has been set as the primary group, you must do a single search looking for a the primaryGroupToken equal to the primaryGroupID (e.g. (primaryGroupID=XXX)). 

So the reason the ADS backend in winbindd returns an
empty list for the members of "Domain Users" is due
to it being the primary group of all users by default
I think.

So my optimization really helps for RPC backends, but
shouldn't hurt default AD installs. I'm still investigating
but the code looks valid I think.


More information about the samba-technical mailing list