PHWinfo - Afficher un message - Re: Listing users from "Domain Users" group using AD query

08/10/2007, 11h45

Thanks for all your feedback...

I think I'll try and go with the LDAP query

Huw

"Richard Mueller [MVP]" wrote:

>
> > Just as an aside to this question that pops up once in a while, it almost
> > seems as if the main purpose of the "primary group" is to cause confusion
> > for scripters and administrators. Other than the fact thats about this
> > thing noted by Richard and Wayne, the only other distinctions I could find
> > out about regarding the concept of the "primary group", was that it is the
> > only way to have more than 5000 members in a group because membership
> > belongs to the member accounts rather than the group's members attribute.
> >
> > Is there some other use that can be made of the "primary group" beyond
> > just letting it default to "domain users" and then forgetting about it
> > altogether? What reason would there be for changing the primary group of a
> > user to anything else?
> >
> > /Al
> >
> >
>
> The only reason I have ever seen for changing primary group membership is to
> support Macintosh clients or POSIX-compliant applications. I'm not familiar
> with either.
>
> I believe the best practice is to never change primary group membership from
> the default. Then you can always assume everyone is a member of "Domain
> Users". The same goes for computer accounts, whose default primary group is
> "Domain Computers".
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>

08/10/2007, 11h45	#5
Huw Messages: n/a Hébergeur:	Re: Listing users from "Domain Users" group using AD query Thanks for all your feedback... I think I'll try and go with the LDAP query Huw "Richard Mueller [MVP]" wrote: > > > Just as an aside to this question that pops up once in a while, it almost > > seems as if the main purpose of the "primary group" is to cause confusion > > for scripters and administrators. Other than the fact thats about this > > thing noted by Richard and Wayne, the only other distinctions I could find > > out about regarding the concept of the "primary group", was that it is the > > only way to have more than 5000 members in a group because membership > > belongs to the member accounts rather than the group's members attribute. > > > > Is there some other use that can be made of the "primary group" beyond > > just letting it default to "domain users" and then forgetting about it > > altogether? What reason would there be for changing the primary group of a > > user to anything else? > > > > /Al > > > > > > The only reason I have ever seen for changing primary group membership is to > support Macintosh clients or POSIX-compliant applications. I'm not familiar > with either. > > I believe the best practice is to never change primary group membership from > the default. Then you can always assume everyone is a member of "Domain > Users". The same goes for computer accounts, whose default primary group is > "Domain Computers". > > -- > Richard Mueller > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net > -- > > >