Overview #In Microsoft Active Directory the MemberOf value is the DN of an entry that the current entry is a member in a Group and is referred to as a Forward Reference. (We use the term Virtual Attribute) Virtual Attribute. This implies You can not monitor the MemberOf attribute for changes (Like with DirXML)
Within Microsoft Active Directory MemberOf is flagged as "NO-USER-MODIFICATION" (or System-Only); This means you can NOT update the attribute. In order to add a user to a group you have to write the user's dn to the member attribute on the group object.
Beware of MemberOf#Active Directory Groups only include MemberOf if they have a Group Scope of:
- Universal Group and are in the same AD Forest as the user, or
- Global Group and user are on the same AD DOMAIN (even if in the same AD Forest)
- Domain Local Group only if user is from the same AD DOMAIN of the Domain Controller you are retrieving results from.
- NOT include the user’s primary group (usually Domain Users)
- NOT include Active Directory Groups on external trusted domains.