Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Active directory: member and memberof properties relationship

Modifying member attribute of a group in Active Directory (let's say with asdiedit), automatically modifies memberOf property of corresponding user?

And as secondary question, setting member in the allowedAttributesEffective of a group automatically adds the memberof in the allowedAttributesEffective attribute of all users?

I have no permission yet to modify member property, so I cannot test by myself.

like image 821
Eduard Avatar asked Jul 06 '12 10:07

Eduard


1 Answers

Yes, if you modify member attribute of a group. It will automatically update the memberOf attribute.

memberOf attribute is called computed back-link attribute or constructed attribute. It's maintained and calculated by Active Directory. You cannot modify this attribute.

Similarly, allowedAttributesEffective is a computed attribute, reflecting the actual ACLs set on the AD object. You cannot set this attribute directly but you can modify the ACLs on the AD object. This attribute will reflect the fact.

There is no relationship between group's allowedAttributesEffective attribute and user's allowedAttributesEffective. They are independent. Setting ACL on group object won't affect the ACL on user object that the group contains.

like image 75
Harvey Kwok Avatar answered Nov 06 '22 18:11

Harvey Kwok