All members of a group may not be returned when you enumerate members of a group by using the Active Directory Service Interfaces WinNT provider (321538)


The information in this article applies to:

  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
This article was previously published under Q321538

SYMPTOMS

When you enumerate members of a group by using the Active Directory Service Interfaces (ADSI) WinNT provider, and you use a binding string, a problem may occur. Some members of the group may not be returned if the group that you are enumerating has members of the following:
  • A local group that contains domain users and domain groups as members
  • A domain local group that contains groups from trusted domains as members

WORKAROUND

You can use the GetObject method to obtain the full member list. The GetObject method uses the credentials for the currently logged on user. The following code example demonstrates this. 
GetObject("WinNT://<server>/<group>,group")
If the account that you want to use for enumerating the group is not the currently logged on user, you can use impersonation before you use the GetObject method.

For additional information about how to impersonate a user, click the following article number to view the article in the Microsoft Knowledge Base:

248187 How to impersonate a user from Active Server Pages

STATUS

This behavior is by design.

MORE INFORMATION

Steps to reproduce the problem

The Active Directory Service Interfaces WinNT provider does not connect to more than one server to compile the member list. This problem occurs if explicit credentials are passed. Therefore, only a partial member list is returned. For example, if you run the following script to enumerate a local group that contains a group from a trusted domain, all members of the group are returned, except the group from the trusted domain.
'Start of the script
Dim oRoot
Dim oSourceGroup
Dim oMember
Const ADS_SECURE_AUTHENTICATION=1

'Binding
Set oRoot = GetObject("WinNT:")
Set oTargetGroup = oRoot.OpenDSObject("WinNT://<server>/<group>,group", "<domain>\<user>", "<password>",ADS_SECURE_AUTHENTICATION)
'All of the following are placeholders: <server> <group> <domain> <user> <password>
msgbox oTargetGroup.ADSPath 

For Each oMember in oTargetGroup.Members   
	msgbox oMember.ADsPath
Next
'End of the script
IMPORTANT We do not recommend that you pass credentials in Active Directory Service Interfaces by using the Active Directory Service Interfaces WinNT provider.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

218497 How to impersonate a user from Active Server Pages

REFERENCES

For additional information about programming with Active Directory Service Interfaces, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/library/en-us/adsi/adsi/adsi_reference.asp

Modification Type:MajorLast Reviewed:9/30/2004
Keywords:kbtshoot kbprb KB321538 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.