Overview#Domain Users usually refers to AD DOMAIN users. Group-AD is defined by a Well-known Security Identifier Global Group Security Group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
Most methods do not reveal membership in the "primary" group. For most users, the "primary" group would be "Domain Users". Specifically, the memberOf attribute of user objects, and the member attribute of group objects, never reveals "primary" group membership. In most domains, the member attribute of the "Domain Users" group is empty, and it is safe to assume that all users belong to this group.
Domain Users LDAP Query Examples for all users that have "Domain Users" designated as their "primary", search for all users whose primaryGroupID attribute is 513 (by default). The primaryGroupID attribute of the group "Domain Users" is the same integer, 513. The LDAP syntax LDAP SearchFilter could be:
Or, to find all direct members of "Domain Users", plus all users that have this group designated as their "primary":
To find all users that have some other group designated as their "primary", the filter could be:
More Information#There might be more information for this subject on one of the following:
- [#1] - Can't get all member objects from Domain Users in LDAP - based on information obtained 2012-06-05
- [#2] - Active Directory: Finding all of a user’s groups - based on information obtained 2019-05-08