Microsoft KB Archive/321538

= All members of a group may not be returned when you enumerate members of a group by using the Active Directory Service Interfaces WinNT provider =

Article ID: 321538

Article Last Modified on 9/30/2004

-

APPLIES TO


 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

-



This article was previously published under Q321538



SYMPTOMS
When you enumerate members of a group by using the Active Directory Service Interfaces (ADSI) WinNT provider, and you use a binding string, a problem may occur. Some members of the group may not be returned if the group that you are enumerating has members of the following:
 * A local group that contains domain users and domain groups as members
 * A domain local group that contains groups from trusted domains as members



WORKAROUND
You can use the GetObject method to obtain the full member list. The GetObject method uses the credentials for the currently logged on user. The following code example demonstrates this. GetObject(&quot;WinNT:// / ,group&quot;) If the account that you want to use for enumerating the group is not the currently logged on user, you can use impersonation before you use the GetObject method.

For additional information about how to impersonate a user, click the following article number to view the article in the Microsoft Knowledge Base:

248187 How to impersonate a user from Active Server Pages



STATUS
This behavior is by design.



Steps to reproduce the problem
The Active Directory Service Interfaces WinNT provider does not connect to more than one server to compile the member list. This problem occurs if explicit credentials are passed. Therefore, only a partial member list is returned. For example, if you run the following script to enumerate a local group that contains a group from a trusted domain, all members of the group are returned, except the group from the trusted domain. 'Start of the script Dim oRoot Dim oSourceGroup Dim oMember Const ADS_SECURE_AUTHENTICATION=1

'Binding Set oRoot = GetObject(&quot;WinNT:&quot;) Set oTargetGroup = oRoot.OpenDSObject(&quot;WinNT:// / ,group&quot;, &quot; \ &quot;, &quot; &quot;,ADS_SECURE_AUTHENTICATION) 'All of the following are placeholders: msgbox oTargetGroup.ADSPath

For Each oMember in oTargetGroup.Members msgbox oMember.ADsPath Next 'End of the script IMPORTANT We do not recommend that you pass credentials in Active Directory Service Interfaces by using the Active Directory Service Interfaces WinNT provider.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

218497 How to impersonate a user from Active Server Pages

