PHWinfo - Afficher un message - Re: Listing users from "Domain Users" group using AD query

07/10/2007, 17h28

> Just as an aside to this question that pops up once in a while, it almost
> seems as if the main purpose of the "primary group" is to cause confusion
> for scripters and administrators. Other than the fact thats about this
> thing noted by Richard and Wayne, the only other distinctions I could find
> out about regarding the concept of the "primary group", was that it is the
> only way to have more than 5000 members in a group because membership
> belongs to the member accounts rather than the group's members attribute.
>
> Is there some other use that can be made of the "primary group" beyond
> just letting it default to "domain users" and then forgetting about it
> altogether? What reason would there be for changing the primary group of a
> user to anything else?
>
> /Al
>
>

The only reason I have ever seen for changing primary group membership is to
support Macintosh clients or POSIX-compliant applications. I'm not familiar
with either.

I believe the best practice is to never change primary group membership from
the default. Then you can always assume everyone is a member of "Domain
Users". The same goes for computer accounts, whose default primary group is
"Domain Computers".

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

07/10/2007, 17h28	#4
Richard Mueller [MVP] Messages: n/a Hébergeur:	Re: Listing users from "Domain Users" group using AD query > Just as an aside to this question that pops up once in a while, it almost > seems as if the main purpose of the "primary group" is to cause confusion > for scripters and administrators. Other than the fact thats about this > thing noted by Richard and Wayne, the only other distinctions I could find > out about regarding the concept of the "primary group", was that it is the > only way to have more than 5000 members in a group because membership > belongs to the member accounts rather than the group's members attribute. > > Is there some other use that can be made of the "primary group" beyond > just letting it default to "domain users" and then forgetting about it > altogether? What reason would there be for changing the primary group of a > user to anything else? > > /Al > > The only reason I have ever seen for changing primary group membership is to support Macintosh clients or POSIX-compliant applications. I'm not familiar with either. I believe the best practice is to never change primary group membership from the default. Then you can always assume everyone is a member of "Domain Users". The same goes for computer accounts, whose default primary group is "Domain Computers". -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net --