Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2090: "adquery group" command does not return primary group members

Centrify DirectControl ,  

12 April,16 at 11:12 AM

Applies to:

All DirectControl versions on all platforms

Question:

The "adquery user" command returns information about primary group membership but the adquery group command does not return primary group members.

For instance,

User "test" has a AD primary group called "primarygroup"
"primarygroup" is a member of a zone enabled group called "agroup"























































adquery user is able to show test as a member of agroup

[root@rhls64 /]# adquery user -G test
agroup
test

But adquery group is not able to show test as a member

[root@rhls64 /]# adquery group -m agroup
administ

Answer:

This is working as designed by Microsoft, normally a user is not explicitly a member of their primary group. 

http://support.microsoft.com/kb/297951
http://support.microsoft.com/kb/275523
 
 

There is a parameter you can set to override this in /etc/centrifydc/centrifydc.conf

 

adclient.get.primarygroup.membership: true

Then run adreload and adflush.

e.g.

[root@rhls64 /]# adquery group -m agroup
administ
test






 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.