- When I add a user account, it isn't added to "Domain Users" (at least I can't notice a change in the "Domain Users" object "members" attribute) - User Manager does this right - But also new workstations (also when joining) and new domain controllers should also be added automatically to "Domain Computers" and "Domain Controllers" using the "member" attribute. In my opinion it isn't sufficient to set only the "primaryGroupID". (from bug 4815)
Have you checked this, Andrew?
Interestingly, this does not occur over LDAP (for computers or users). This will need a test that cross-references LDAP with RPC.
*** Bug 4909 has been marked as a duplicate of this bug. ***
Update: This doesn't seem to work yet: - New workstations (also when joining) and new domain controllers should also be added automatically to "Domain Computers" and "Domain Controllers" using the "member" attribute. In my opinion it isn't sufficient to set only the "primaryGroupID". - When adding a user account using User Manager, there is set the "memberOf" attribute to "Domain Users" of the new user. This shouldn't be necessary anymore. When I open the "Members" tab in the properties in ADUC, I notice "Domain Users" twice.
Andrew, this isn't solved yet. Here should we correct our behaviour.
According to http://msdn.microsoft.com/en-us/library/ms677943(VS.85).aspx I've been wrong here until now (a user generally hasn't to be inserted as "member" in his primary group). So the behaviour of "User Manager for Domains" (which does that) is incorrect.
According to a wireshark trace the "User Manager for Domains" adds the user to his primary group when he doesn't find the primary group membership through http://msdn.microsoft.com/en-us/library/cc245815(PROT.10).aspx (SamrGetGroupsForUser). If I understood it right, the latter call doesn't return the primary group (only "member" group memberships). So we have here a fault in the "User Manager" and not in SAMBA. Closing it as INVALID.