Microsoft Azure Active Directory (Azure AD) Connect doesn't support primary group functionality. Therefore, it does not query the PrimaryGroupID attribute to build the group membership of a user. This may cause problems for users who are still using the primary group feature.
When you set the primary group for a user, that user is excluded from the corresponding group membership in Active Directory. Instead, the PrimaryGroupID attribute is set with that group.
- User1 belongs to Group1, which means that Group1 has User1 as a member.
- The primary group is changed on User1 from Domain Users to Group1:
- User1 is excluded from Group1 Members.
- User1 is added as a member of Domain Admins (because it's no longer the primary group).
- The User1 PrimaryGroupID attribute is set with the Group1 reference.
According to Setting Primary Group Excludes the User from the Group Membership in Active Directory, “Programs that need to query groups to give users access that is based on group membership should also query for the PrimaryGroupID attribute.”
However, Azure AD Connect does not support PrimaryGroupID because of the complexity of group membership synchronization. Additionally, this an old Active Directory requirement, per the following Windows Server 2003 documentation: “Microsoft Windows Server 2003 Forest mode removes this group membership limitation.”
ID do Artigo: 4014115 - Última Revisão: 03/03/2017 - Revisão: 13