The memberof attribute of the user object is not populated with the group name. This can cause problems if programs do not query Active Directory for the PrimaryGroupID attribute, and only for the Members attribute of the group.
The Microsoft Windows Server 2003 Forest mode removes this group membership limitation. However, the primary group is still used in the same way.
To make sure that the user has the appropriate access to resources in the domain, you not only calculate group membership based on the memberof attribute, you also query for the value of the PrimaryGroupID of the user accounts. When you do this, you create the user's Token, and include the Primary group at the log-on process for all of the groups of which the user is a member.
Programs that need to query groups to give users access that is based on group membership should also query for the PrimaryGroupID attribute.
If more than 5000 users need to be added to a group, work around the 5000 member limitation for groups by using nested groups under a master (parent) group.
The following example describes how to obtain the PrimaryGroupID user attribute by using Microsoft Visual Basic (VB) script:
Set usr = GetObject("WinNT://TestDomain/JSmith")
UserID = usr.Get("PrimaryGroupID")
MsgBox "The User's Primary Group ID is:"& UserID
Article ID: 275523 - Last Review: Jan 7, 2008 - Revision: 1