Overview #
MemberOf is an LDAP AttributeType where the value is the DN of an LDAP Entry is the Group that the current LDAP Entry is a member in a Group and is referred to as a Forward Reference. (or Virtual Attribute)MemberOf is usage is dependent on the LDAP Server Implementation but is a known to be used in Microsoft Active Directory
A Virtual Attribute Microsoft Active Directory#
MemberOf is a Virtual Attribute. This implies You can not monitor the MemberOf attribute for changes (Like with DirXML)Within Microsoft Active Directory MemberOf is flagged as "NO-USER-MODIFICATION" (or System-Only)[1]; This means you can NOT update the Attribute Value. In order to add a user to a group you have to write the user's DistinguishedName to the member attribute on the group object.
LDAP Microsoft Active Directory Attribute Definition#
The MemberOf AttributeTypes is defined as:- CN: Is-Member-Of-DL
- OID of 1.2.840.113556.1.2.102
- NAME: MemberOf
- DESC: attribute specifies the distinguished names of the groups to which this object belongs
- EQUALITY:
- ORDERING:
- SYNTAX: 2.5.5.1 (1.3.6.1.4.1.1466.115.121.1.15)
- LOWERBOUND:
- UPPERBOUND:
- OMSyntax: 127
- SchemaIDGUID: bf967991-0de6-11d0-a285-00aa003049e2
- mapiID: 32776
- NO-USER-MODIFICATION
- USAGE: UserApplications
- linkID: 3 (Which makes this a BackLink attribute to the Forward link of Member)
- Extended Flags:
- X-SYSTEMFLAGS
- X-SCHEMAFLAGSEx
- X-SEARCH-FLAGS
- Used as MUST in:
- Used as MAY in:
Beware of MemberOf#
Active Directory Groups only include MemberOf if they have a Group Scope of:- Universal Group and are in the same AD Forest as the user, or
- Global Group and user are on the same AD DOMAIN (even if in the same AD Forest)
- Domain Local Group only if user is from the same AD DOMAIN of the Domain Controller you are retrieving results from.
- NOT include the user’s primary group (usually Domain Users)
- NOT include Active Directory Groups on external trusted domains.
