Article ID: 321538 - Last Review: September 30, 2004 - Revision: 1.2

All members of a group may not be returned when you enumerate members of a group by using the Active Directory Service Interfaces WinNT provider

View products that this article applies to.
This article was previously published under Q321538

On This Page

Expand all | Collapse all

SYMPTOMS

When you enumerate members of a group by using the Active Directory Service Interfaces (ADSI) WinNT provider, and you use a binding string, a problem may occur. Some members of the group may not be returned if the group that you are enumerating has members of the following:
  • A local group that contains domain users and domain groups as members
  • A domain local group that contains groups from trusted domains as members
Back to the top

WORKAROUND

You can use the GetObject method to obtain the full member list. The GetObject method uses the credentials for the currently logged on user. The following code example demonstrates this. 
GetObject("WinNT://<server>/<group>,group")
If the account that you want to use for enumerating the group is not the currently logged on user, you can use impersonation before you use the GetObject method.

For additional information about how to impersonate a user, click the following article number to view the article in the Microsoft Knowledge Base:
248187  (http://support.microsoft.com/kb/248187/ ) How to impersonate a user from Active Server Pages
Back to the top

STATUS

This behavior is by design.
Back to the top

MORE INFORMATION

Steps to reproduce the problem

The Active Directory Service Interfaces WinNT provider does not connect to more than one server to compile the member list. This problem occurs if explicit credentials are passed. Therefore, only a partial member list is returned. For example, if you run the following script to enumerate a local group that contains a group from a trusted domain, all members of the group are returned, except the group from the trusted domain.
'Start of the script
Dim oRoot
Dim oSourceGroup
Dim oMember
Const ADS_SECURE_AUTHENTICATION=1

'Binding
Set oRoot = GetObject("WinNT:")
Set oTargetGroup = oRoot.OpenDSObject("WinNT://<server>/<group>,group", "<domain>\<user>", "<password>",ADS_SECURE_AUTHENTICATION)
'All of the following are placeholders: <server> <group> <domain> <user> <password>
msgbox oTargetGroup.ADSPath 

For Each oMember in oTargetGroup.Members   
	msgbox oMember.ADsPath
Next
'End of the script
IMPORTANT We do not recommend that you pass credentials in Active Directory Service Interfaces by using the Active Directory Service Interfaces WinNT provider.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
218497  (http://support.microsoft.com/kb/218497/ ) How to impersonate a user from Active Server Pages
Back to the top

REFERENCES

For additional information about programming with Active Directory Service Interfaces, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn.microsoft.com/en-us/library/aa772170.aspx (http://msdn.microsoft.com/en-us/library/aa772170.aspx)
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Back to the top
Keywords: 
kbtshoot kbprb KB321538
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations