Missing AD Group Users

Did anyone figure out a solution to this issue?

See these two archived threads:

I have a W2K8 box with Openfire 3.6.4 and am having the exact same issues. Openfire is not pulling in all of the group members. I am sure it has to be an LDAP issue. You can search for the user and find them and also find them in the list but they don’t show up in the group.

I have had a few issues with groups and users and not getting the correct details I want.

Have you created an AD security group that contain the users you want directly or by adding other groups to it? If so, I had a problem and it was the filter (http://www.igniterealtime.org/community/thread/38835). I have made some changes to it;

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=XMPP_Users,OU=Applicat ions,OU=Security Groups,OU=CompanyA,DC=Company,DC=local)(!(userAccountControl:1.2.840.113556.1.4 .804:=2))(!(cn=service*)))

The (userAccountControl:1.2.840.113556.1.4.804:=2) should hide any disabled accounts. I not 100% about .804 or .803 being needed. You need to be careful with matching a fixed value against userAccountControl as password expiry and the like options force a different mask into this.

The (memberOf:1.2.840.113556.1.4.1941:=CN=XMPP_Users,…) should iterate any goups that are members of XMPP_Users for their users and list them as members of XMPP_Users.

If your baseDN is not broad enough, then the filter wont retreive the details. I found, using the Active Directory Users and Computers mmc and creating saved searches allowed me to better test the connection before applying a filter that locked out the administrators. Also check how it goes changing between CN and OU for the path names. I have seen some filters all (CN=…,CN=…,CN=…,DC=…,DC=…) and others (CN=…,OU=…,OU=…,DC=…,DC=…). I saw a reference to using ADExplorer (sysinternals) and have found it a great help as its pretty good at letting you see what you can use.

As for group filters, I have no really experimented to far.

Brian