How can I get a list of users within an LDAP group, even if that group happens to be the primary group for some users?
For example, suppose "Domain Users" is "Domain Leute" in German. I want all members of "CN=Domain Leute,DC=mycompany,DC=com". How would I know that is the well-known "Domain Users" group?
Or what if some users' primary group was changed to "CN=rebels,DC=mycompany,DC=com", and I wanted to get members of THAT group? Users don't have a memberOf property for their primary group, and the primary group won't have a member property listing them.
This is what I see when viewed via LDAP (ie, no MS extensions):
To get the the primaryGroupToken from any given group extract it from the objectSid so for example Domain Users objectSid = S-1-5-21-704657944-2065781323-617630493-513
then the primaryGroupToken is the last digits after the "-" so in the case of the "Domain Users" its 513