Every user is a member of the Domain Users group by default.
The memberof attribute of a user is NOT populated with group name when there are more than 5000 members in a group due to a limitation in the size of the attribute.
When using LDAP utilities, like Lpd.exe, Microsoft knowledge base article 275523 recommends:
To resolve this behavior, create a separate attribute called PrimaryGroupID. When you do this, all users can be a member of the Domain Users global group, but instead of explicitly adding them to the Domain Users group membership, assign the user a value for this group in the PrimaryGroupID value. The PrimaryGroupID value is the RID of the group which is assigned as the user's Primary group.
To make sure that the user has the appropriate access to resources in the domain, you not only calculate group membership based on the memberof attribute, you also query for the value of the PrimaryGroupID of the user accounts. When you do this, you create the user's Token, and include the Primary group at the log-on process for all of the groups of which the user is a member.
Programs that need to query groups to give users access that is based on group membership should also query for the PrimaryGroupID attribute.
If more than 5000 users need to be added to a group, work around the 5000 member limitation for groups by using nested groups under a master (parent) group.
MORE INFORMATIONThe Primary Group ID (PrimaryGroupID) is an integer value that represents the primary group ID for this user.
The following example describes how to obtain the PrimaryGroupID user attribute by using Microsoft Visual Basic (VB) script:
Set usr = GetObject("WinNT://TestDomain/JSmith") UserID = usr.Get("PrimaryGroupID") MsgBox "The User's Primary Group ID is:"& UserID End quote