Overview #MemberOf is an LDAP AttributeType where the value is the DN of an LDAP Entry is the Group that the current LDAP Entry is a member in a Group and is referred to as a Forward Reference. (or Virtual Attribute) Virtual Attribute. This implies You can not monitor the MemberOf attribute for changes (Like with DirXML)
Within Microsoft Active Directory MemberOf is flagged as "NO-USER-MODIFICATION" (or System-Only); This means you can NOT update the Attribute Value. In order to add a user to a group you have to write the user's DistinguishedName to the member attribute on the group object.
LDAP Microsoft Active Directory Attribute Definition#The MemberOf AttributeTypes is defined as:
- CN: Is-Member-Of-DL
- OID of 1.2.840.1135126.96.36.199
- NAME: MemberOf
- DESC: attribute specifies the distinguished names of the groups to which this object belongs
- SYNTAX: 188.8.131.52 (184.108.40.206.4.1.14220.127.116.11.15)
- OMSyntax: 127
- SchemaIDGUID: bf967991-0de6-11d0-a285-00aa003049e2
- mapiID: 32776
- USAGE: UserApplications
- linkID: 3 (Which makes this a BackLink attribute to the Forward link of Member)
- Extended Flags:
- Used as MUST in:
- Used as MAY in:
Beware of MemberOf#Active Directory Groups only include MemberOf if they have a Group Scope of:
- Universal Group and are in the same AD Forest as the user, or
- Global Group and user are on the same AD DOMAIN (even if in the same AD Forest)
- Domain Local Group only if user is from the same AD DOMAIN of the Domain Controller you are retrieving results from.
- NOT include the user’s primary group (usually Domain Users)
- NOT include Active Directory Groups on external trusted domains.