>USNChanged value for users and groups.
>If group a group "Group A" contains 10 users/members
>and then I remove one user/member from that group.
>Then query for the USNChanged value for the
>objectClass=group and objectClass=user objectCategory = organizationalPerson
>The LDAP query filter only returns the group.
>But inreality the user also has a change in his/her memberof property why is
>the user not returns for the query as a result.
>Is it because "memberof" is one of MS implimentaion rather than LDAP?
I would believe it's because "memberOf" is not really a property of
the user that gets stored in AD - it's being calculated from the
group's perspective. AD really stores which objects are members of a
group - not the other way around. (you can't add a user to a group by
updating the user's "memberOf" property - you have to use the group
you want to add the user to, and add that account to the group's
If you look at the "memberOf" property of a user, it gets determined
from the groups the user belongs to.
Thus, since it's not really a property of the user, if you remove a
user from a group, you don't really change anything in the user object
- thus, the USNchanged doesn't get updated.
All you gurus out there - does that make any sense?? :-)
Marc Scheuner May The Source Be With You!
Bern, Switzerland m.scheuner(at)inova.ch