Overview #MemberOf is an LDAP AttributeType where the value is the DN of an LDAP Entry is the Group that the current LDAP Entry is a member in a Group and is referred to as a Forward Reference. (or Virtual Attribute) Virtual Attribute. This implies You can not monitor the MemberOf attribute for changes (Like with DirXML)
Within Microsoft Active Directory MemberOf is flagged as "NO-USER-MODIFICATION" (or System-Only); This means you can NOT update the attribute. In order to add a user to a group you have to write the user's dn to the member attribute on the group object.
Beware of MemberOf#Active Directory Groups only include MemberOf if they have a Group Scope of:
- Universal Group and are in the same AD Forest as the user, or
- Global Group and user are on the same AD DOMAIN (even if in the same AD Forest)
- Domain Local Group only if user is from the same AD DOMAIN of the Domain Controller you are retrieving results from.
- NOT include the user’s primary group (usually Domain Users)
- NOT include Active Directory Groups on external trusted domains.