Missing Group Memberships in AD??

I ran into something really interesting today that took some time to figure out.. Thought I should post in case anyone else is puzzled by the same scenario (and so that I can remember later).

I was running queries for group memberships and found inconsistencies between what I was seeing in ADUC and what my queries were pulling back. In ADUC, I could see user accounts in a group that did not show up in the query results or when I looked in ADSIEDIT.

I checked permissions, looked at the different attributes of the accounts, compared ldp outputs. I finally noticed that the primary group memberships were changed to the groups that I was querying and not ‘domain users’ which is the default. With the primary group designation, the account is not listed in the member attribute for the group nor is the group listed in the memberof attribute for the account.

There really aren’t any compelling reasons to update an account primary group designation, unless you want the account to have more restrictive rights than a regular domain user, like guest users. Otherwise, it is a bit confusing and requires applications to look at more than just the memberof or member attributes on users and groups to determine access.