User management

Permissions assigned to Domain Users do not propagate to members

When you work product support on a specific product, you need to have a solid grasp of how to set up the product, as well as the best practices for making things work as you want and expect. This was certainly the case for me when I worked for FotoWare. One of these best practices was not to use the Domain Users group to set permissions.

What I hadn’t expected, was that this best practice would return as something I would find useful more than five years after leaving that job. And yet, I did a few months ago. Tier one support came to me with an issue where users wouldn’t get access to software distributed through Software Center. Looking at the settings in System Center, we found that access to the software was granted to Domain Users.

The reason why it didn’ t work was the fact that permissions assigned to Domain Users do not propagate to members of that group. Digging a bit further, I found the reason:

Most methods do not reveal membership in the “primary” group. For most users, the “primary” group should be “Domain Users”. Specifically, the memberOf attribute of user objects, and the member attribute of group objects, never reveals “primary” group membership. In most domains, the member attribute of the “Domain Users” group is empty, and it is safe to assume that all users belong to this group. If you need to query for all users that have “Domain Users” designated as their “primary”, search for all users whose primaryGroupID attribute is 513.

The primaryGroupToken attribute of the group “Domain Users” is the same integer, 513. The LDAP syntax filter could be: (primaryGroupID=513) Or, to find all direct members of “Domain Users”, plus all users that have this group designated as their “primary”: (|(memberOf=cn=Domain Users,cn=Users,dc=MyDomain,dc=com)(primaryGroupID=513)) To find all users that have some other group designated as their “primary”, the filter could be: (&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))

Richard Mueller on TechNet

Knowing this, the solution becomes pretty obvious; you should have a different contained OU to grant permissions.

By posting a comment, you consent to our collecting the information you enter. See privacy policy for more information.

This site uses Akismet to reduce spam. Learn how your comment data is processed.