-
Title
Some Active Directory groups are returned unexpectedly in a Dynamic Group or Managed Unit that should only contain empty groups -
Description
A Dynamic Group or Managed Unit can be created that should contain only empty groups (groups with no members). This can be done in a number of ways, including by using the built in option of the Include By Query membership rule Groups | Group Type | Show only groups: | Empty (not containing any members) or by using a custom LDAP query like the following:
(&(objectCategory=group)(!(member=*)))
These Dynamic Groups or Managed Units will contain some built in Active Directory groups such as:
- Domain Users
- Domain Controllers
- Domain Computers
The above raw LDAP query made using Active Directory Users and Computers or any other tool will also return these groups.
-
Cause
This is expected due to Active Directory functionality.
These groups are, indeed, actually empty as far as an LDAP query is concerned. Group membership for these groups is calculated by Active Directory based on a member's Primary group. They do not contain real members, only calculated ones.
-
Resolution
WORKAROUND
In the Dynamic Group or Managed Unit membership rules, explicitly exclude Domain Users, Domain Controllers, Domain Computers, and any other groups that only have memberships calculated via Primary group.