We have a group, we’ll call it Business Admin. It contains the people who actually run the business (the secretaries, oh, excuse me, the “Executive Assistant” and “Administrative Assistants”) as well as the people who think they run the business, like for example the CEO and CFO et cetera.
One person who is supposed to be a member of this group, the head of Marketing, wasn’t showing up in the group membership lists using the various Microsoft GUI tools. However, attempting to add this person would generate an “OBJECT ALREADY EXISTS” error. Huh?
When I tried standardized CLI tools like OpenLDAP’s ldapsearch and ldapadd utilities to query AD across the network, it still behaved the same way. You couldn’t see this person in the group membership, but when you tried to add him it’d say he was already in the list.
Looking at his user account description object, there was quite clearly a “memberof” attribute pointed at the group. Don’t get me started about the insanity of maintaining both “member” and “memberof” in the same directory, when the latter is clearly both sufficient and empirically better, that’d be a major digression. But here we had a memberof with no member showing in the group listing… that’s never supposed to happen.
Using powershell’s Get-ADGroupMember, though, you did see him in the listing. So, I figured, something’s deeply broken, but I’ll delete him with powershell, and re-add with the GUI, and all will be well in Microsoft land.
When a man is aroused, the arteries in the penis relax and viagra sales france widen. The mainly symptoms of prostatitis include difficult, painful, or frequent urination; pain in the lower back and so on. http://amerikabulteni.com/2016/11/08/bob-dylan-ve-amerikan-siir-gelenegi/ order viagra india These are likely the drugs that the doctor is aware wholesale viagra from canada of the patient’s complete history of alcohol abuse. There are different causes of low sperm count, erectile dysfunction, weak ejaculation, low semen volume and enjoy intimate tadalafil online order moments with your beautiful female.
However, when I tried to use Remove-ADGroupMember from a privileged shell on the domain controller, it replied “The user cannot be removed from a group because the group is currently the user’s primary group”. OK, so I changed the primary group for the Marketing head to be something else and repeated the delete operation.
This time the delete succeeded. Now here’s the weird part. After I deleted the user from the group, then the user started showing up in group listings. Got that? He was not showing up, so I deleted him, and then he showed up.
After that everything just worked. I deleted him again, and he went away, and I added him back, and he reappeared, et cetera, everything worked the way Microsoft says it’s supposed to.
My theory is that the group object had a duplicate member object, which is a schema violation, and the various tools (including powershell) were incapable of dealing with this in any sane fashion. But you can fix it with powershell.
