All members of a group may not be returned when you enumerate members of a group by using the Active Directory Service Interfaces WinNT provider

Applies to: Windows Servers

Symptoms


When you enumerate members of a group by using the Active Directory Service Interfaces (ADSI) WinNT provider, and you use a binding string, a problem may occur. Some members of the group may not be returned if the group that you are enumerating has members of the following:
  • A local group that contains domain users and domain groups as members
  • A domain local group that contains groups from trusted domains as members

Workaround


You can use the GetObject method to obtain the full member list. The GetObject method uses the credentials for the currently logged on user. The following code example demonstrates this.
GetObject("WinNT://<server>/<group>,group")
If the account that you want to use for enumerating the group is not the currently logged on user, you can use impersonation before you use the
GetObject method.

For additional information about how to impersonate a user, click the following article number to view the article in the Microsoft Knowledge Base:

248187 How to impersonate a user from Active Server Pages

Status


This behavior is by design.

More Information


Steps to reproduce the problem

The Active Directory Service Interfaces WinNT provider does not connect to more than one server to compile the member list. This problem occurs if explicit credentials are passed. Therefore, only a partial member list is returned. For example, if you run the following script to enumerate a local group that contains a group from a trusted domain, all members of the group are returned, except the group from the trusted domain.
'Start of the script
Dim oRoot
Dim oSourceGroup
Dim oMember
Const ADS_SECURE_AUTHENTICATION=1

'Binding
Set oRoot = GetObject("WinNT:")
Set oTargetGroup = oRoot.OpenDSObject("WinNT://<server>/<group>,group", "<domain>\<user>", "<password>",ADS_SECURE_AUTHENTICATION)
'All of the following are placeholders: <server> <group> <domain> <user> <password>
msgbox oTargetGroup.ADSPath

For Each oMember in oTargetGroup.Members
msgbox oMember.ADsPath
Next
'End of the script
IMPORTANT We do not recommend that you pass credentials in Active Directory Service Interfaces by using the Active Directory Service Interfaces WinNT provider.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

218497 How to impersonate a user from Active Server Pages

References


For additional information about programming with Active Directory Service Interfaces, visit the following Microsoft Developer Network (MSDN) Web site: