Hello! You are correct. I had to dig into it and found out that the primaryGroupID is considered an "implicit membership." It is uncommon to change but Guest is 514, as an example. The issue happens with the Guest user account as well since it is (traditionally) only a member of the security group called Domain Guests. I was able to confirm this using the Windows LDP tool. Apparently, I just never had to use LDAP to actually query for all memberships in the past, it was always using third-party tools which would include even the "implicit" memberships. ... View more

The reason for using this is to be able to create a list of all groups a user is in. That above query will evaluate and memberOf still does not show "Domain Users" but shows every other group. The documentation makes no mention that the primary group ID will not show up, unfortunately the network I am currently on I am unable to add a test user and assign the primary group to something else and remove them from Domain Users but I can't see how it would be normal functionality to exclude the primary group the user is a member of.   I have just never in my career seen something that could list group memberships and would intentionally skip the primary group, or "Domain Users" whichever is true in this scenario.   I tested with Domain Computers as well and had the same results. It still seems weird. ... View more

Hello! I realize this is bumping an extremely old thread, but it was still relevant. I went to use this and it looks like it completely ignores the "Domain Users" group. If a user is a member of two or more groups it doesn't create row for it in the memberOf row. If the account is ONLY a member of the "Domain Users" group it doesn't even show the memberOf column. This seems to be the only group it happens with, any standard "Built-In" group from AD shows up except for Domain Users. Initially I thought it had to do with spaces but groups with spaces show up fine so not sure what is happening here. ... View more