This article applies to:

• R3000

Symptoms:

• If you've added Domain Users as one of your LDAP groups, the list of members (Group Member Detail) may not reflect the actual member list on your Active Directory Users and Computers.

Causes:

The following default settings will cause this:

1. In Active Directory, user's Primary Group set to "Domain Users"
2. On the R3000, "Use Primary Group" setting in Group tab of Domain Details set as unchecked.

Resolution:

In Active Directory, when a new user is created, the Primary Group attribute of that user is automatically set to the group Domain Users. This can be changed in AD but it is common to leave that as is.

In the R3000, by default the "Use Primary Group" setting in the Domain Details of an AD domain is turned off. With this setting disabled, R3000 will be able to see all group membership EXCEPT the Primary Group. So whatever the AD user has set as its primary group, R3000 will not see that user as a member of that group.

Most of the time, AD Admins will choose to not use the Domain Users group and create their own groups for user categorization. So leaving everything at their default settings should be okay. If you want the R3000 to filter using the Domain Users group, then you will need to either (DO ONLY ONE):

(a) In AD, make sure the Primary Group of all users IS NOT set to Domain Users

(b) On the R3000, enable the "Use Primary Group" option. However when this is turned on, the R3000 will ONLY look at the Primary Group when a user authentication. Thus, he will always receive whatever profile is set for the Primary Group, overriding any Group Priority settings you have in place.