Hello

I have an ASP.NET C# page that can create users and add them to a group in Active Directory.
This script also removes the newly created user from the "Domain Users" group.

For some (perhaps strange) reason the following does not return users, who are not in the "Domain Users" group...

DirectoryEntry group = new DirectoryEntry("LDAP://grouppath");
foreach(object dn in group.Properties["member"] )
{
    Response.Write(dn);
}

Is this normal behavior?
Is there a way to list users of a group, who are not members of "Domain Users"?

Thanks,
Jesper

 If you can expand the groupPath, Is this like LDAP//YourADdomain/CN=GroupName,OU=Level1,OU=level2,DC=..,DC=... ?

I would rather connect to the domain: LDAP//YourADdomain/DC=..,DC=... ?

and set up filter to group name.  This way I need not remember the OUpath/hierarchy. Also did not try with CN and OU path for expanding group members.

Usually all users regardless are members of DomainUsers which explains why your query did not return any users.

I tried the first one, getting directly to the group.

I realised, removing the user from "Domain Users" (not having that group as the primary) -Or having any group in the "Users" folder as the primary was the problem...

As soon as i added the users to a group setting in the "Users" folder, and making that the primary, the user would pop in searches...

 So i created my own group there, and now im making that the primary. Not sure if this is right way to solve this, or the only?

 Jesper

changing the primary group is not a good idea: I would check with the domain administrator for this.  Again if you search the AD domain with filters, you should be able to see the accounts in a group.

Why is that not a good idea?

 I check with the domain admin. They are not allowed to be in "domain users"...

In our AD tree, everybody has domain users as primary group and than depending on the rights required, etc the primary group is changed. I believe this is a standard practice : I  could be wrong.

Questions:
Should the users not be in domain users at all OR the primary group should not be domain users.

If the domain admins have no problem, I guess it is ok. Again depending on what your application has to accomplish: there are 2 steps/modules. Clean up the way users are set / complete the application that brought out this issue.