LDAPWiki: MemberOf

Overview #

MemberOf is an LDAP AttributeType where the value is the DN of an LDAP Entry is the Group that the current LDAP Entry is a member in a Group and is referred to as a Forward Reference. (or Virtual Attribute)

MemberOf is usage is dependent on the LDAP Server Implementation but is a known to be used in Microsoft Active Directory

MemberOf is a Virtual Attribute. This implies You can not monitor the MemberOf attribute for changes (Like with DirXML)

Within Microsoft Active Directory MemberOf is flagged as "NO-USER-MODIFICATION" (or System-Only)[1]; This means you can NOT update the Attribute Value. In order to add a user to a group you have to write the user's DistinguishedName to the member attribute on the group object.

The MemberOf AttributeTypes is defined as:

Active Directory Groups only include MemberOf if they have a Group Scope of:

Universal Group and are in the same AD Forest as the user, or
Global Group and user are on the same AD DOMAIN (even if in the same AD Forest)
Domain Local Group only if user is from the same AD DOMAIN of the Domain Controller you are retrieving results from.
NOT include the user’s primary group (usually Domain Users)
NOT include Active Directory Groups on external trusted domains.

There might be more information for this subject on one of the following: