The
member and
memberOf attributes are guaranteed to be available only for
Universal Security Groups within the Windows Global Catalog. Membership information for the following LDAP Groups types (where the group isn't within the same domain as the Global Catalog) isn't guaranteed to be available in the Global Catalog:
- Domain Local Security
- Domain Local Distribution
- Global Security
- Global Distribution
Using the following domain structure for illustration purposes:
- Parent (IP x.x.x.227)
- Child (IP x.x.x.228)
- GrandChild (IP x.x.x.229)
When registering an LDAP server using the Global Catalog with ePO, the following table shows when the
memberOf or
Member attributes are present:
|
Registered LDAP Server
|
Universal
Security
Group
|
Domain Local
Security |
Domain Local
Distribution |
Global Security |
Global
Distribution |
|
Parent
|
ALL
|
Parent Only |
Parent Only |
Parent Only |
Parent Only |
|
Child
|
ALL
|
Child Only |
Child Only |
Child Only |
Child Only |
|
GrandChild Only
|
ALL
|
GrandChild Only |
GrandChild Only |
GrandChild Only |
GrandChild Only |
The
memberOf attribute is used when assigning LDAP Groups to ePO systems or branches. If the
memberOf attribute isn't present when trying to assign an LDAP Group, the group is added, but
no users are synced from the LDAP server.
The
memberOf attribute is used during the import of EEPC 5.x user groups when associating them to an LDAP user group for DE. If the
memberOf attribute isn't present, the LDAP Group is assigned. Any users that have
Token Data are
not found during the pre-processing stage and
no users are synced from the LDAP server for the LDAP Group.
NOTES:
- In subsequent LDAP Synchronizations, the LDAP group Users aren't updated if the memberOf attribute isn't present.
- Changing an ePO LDAP registered server that wasn't using a Global Catalog, to using a Global Catalog, could also result in loss of both Users and Token Data.
