Discrepancies between user and group membership


Today I face a strange issue:

"User A" is member of "group A", but when I look who is member of "group A" I do not find the "User A" on the membership list of the group.

See an example on iManger, left the user group membership and right the group members


Anyone can explain why??

Thanks in advance

Ricard Malvesi





  • Verified Answer

    Group membership is actually represented by 4 attributes, 2 on the user, 2 on the Group.

    For fun, do Security Equals (User pointing at Group) and Equivalent To Me (Group pointing at User) match as well?  (These are the other two in addition to Member/Group Membership.

    How does this happen? Someone manually via LDAP or other API adds a user to a group by only setting one of the 4 (or some subset of the 4) attributes. It happens.  Often happens when AD admins are involved since they are used to just one attribute on the Group.  (MemberOf on the user in AD is a dynamic filter and looked up every time you look at it not an actual static value)

    Here is a better question for you?  How widespread is this issue?

    Good news!  Alekz who posts here, wrote a kick-tushy tool called Console2. It is sort of meant for IDM people but it does directory stuff very cleverly as well.


    He has a function in there that check recipricol attribute mappings. So a group has a pair of reciprical attributes as discussed above. You can use an LDAP filter for only certain objects, a base container to start etc.  But it finds all the mismtaches.  And there is a tickbox to generate a LDIF to fix them!  Which you can edit and fix one, all, or just the ones you want.

    Woo Hoo!  You could od this on your own loading it all into a DB or somesuch or Excel but this tool just finds them all and offers to fix them.


    So this will find them all and help you fix them all.  Go get the tool, it really is great.  Also does unique value finding.  Do I have two users with the same uniqueID?  That would be bad. 

    Multiple value finder: Do I have users with two values for Surname (Legal in eDir, oher systems do not like it).  Easy peasy.

  • There's a four way relationship for user / group stuff needed for referential integrity, i.e.

    on the user object both "groupMembership" and "securityEquals" have to point to the FDN of the group object. On the latter "member" and "equivalentToMe" have to point the FDN of the user. Now depending on how (with which tools) and when (15 years back there's been a bug in ConsoleOne regarding this) the membership has been established one or more of these 4 parts might be missing. Removing / readding the relation with e.g. a current iManager build should clean things up.