Domain Users group empty. Why?

Have a Openfire server integrated into Active Directory via LDAP.

Detected a strange problem, group Domain Users, which contains all domain users is empty.

There is about 300 users in AD, but Openfire don’t shown anyone into this group.

Btw, other groups shows correctly.

Does anyone have some comments on this?

Windows 2003 SP1 R2 Enterprise + RH EL5 for OpenFire server.

PS it will be much better if default mysql tables creates with utf8 default collation

This is the case on my server as well. My guess is this an Active Directoy query issue. Namely the default Users container is just that a container or CN. Folders you create are OUs. Openfire cannot query within nested groups and groups in Active Directory are CNs. You should create any groups you wish to query in an OU, and not use the Active Directory system created groups. The system created groups should remain in their original container.

hmmm… in my plans i will put users into diffferent OUs, but not all of them.

Than how to get a group containg ALL users from domain?

Btw, in “Users” I see all of them, but not in Domain Users. Users who contains into other group have only other groups in properties, but noone have Domain Users

btw2, if it is like you are talking, than should be a similar problem with Domain Admins group, but I see members of it fine.

Regardless of the fact that the restictions on Domain Admins is completely different that Domain Users by default. OUs are not groups within the AD architecture. They are folders called organizational units. Your AD tree should be organized via OUs. It is bad form and quite limiting to keep users and computers in their default containers. You can either believe this or not. This is not an issue of Openfire IMO but a limitation of AD and your use of it.

Okay, I’ve understand this.

Than we have a next question: How to automatically all to all users rosters all of users?

plz, w/o solutions like create a OU and add all there.

I will try to explain this better because you do not seem to understand how AD LDAP functions.

OU= Organizational Unit - this structure is meant to hold containers such as Users, Computers, and Groups. The containers within this structure are what define your LDAP configuration based on your BaseDN.

BaseDN = Defined stating point for all LDAP queries. This starting point can include any number of nested OUs in conjunction with the domain. For example: OU=someOU2,OU=someOU1,DC=domain,DC=com.

CN = containers - Conatiners in Active Directory consist of User Accounts, Bound Computers, Security and Ditribution Groups, Users and Computers folders created by default by AD.

Now to answer your question specifically:

create an OU with in that OU you create a Security Group. Make all users accounts of your Active Directory, that should have access to chat, members of this security group. Once this group replicates to openfire share this group. Please refer to these docs:

thanks for answer, i hoped that there will be other solution than you wrote.

btw I had this option

It really is key to setup your AD structure in an organized way. This will aid you with future LDAP integrations as well as policy enforcement and software deployment. See my image below for an example.


The most likely reason that the filter returns no one is that everyone in the Domain Users group has that set as their Primary Group. Active Directory stores this information in the users “PrimaryGroup” attribute as a number (the group’s PrimaryGroupToken attribute), and NOT in the memberOf attribute.

Therefore, the LDAP filter you need is:


The value “513” is using the following assumptions: (pasted from:

**Values for primaryGroupID :
**513 Domain Users 514 Domain Guests
515 Domain Computers 516 Domain Controllers

To pull users that were in Domain Users that did not have that group as their Primary Group:

(memberOf=CN=Domain User,dc=company,dc=com)

To combine both scenarios (Primary Group and “non” Primary Group):

(|(primaryGroupID=513)(memberOf=CN=Domain User,dc=company,dc=com))


good. but no changes.

btw specified 513+domain users, and still got all users, BUT Domain Users group in Openfire still empty.

While what has been revealed is true but again these default AD groups are not meant to be used for LDAP. You need to do what i previously stated. Not to harp but for your own security and management of your Domain you need to make changes similar to what i proposed. You do not need to copy my structure, but you should make one other than the default containers. You are doing yourself a disservice otherwise.