Resolution
fact
Directory and Resource Administrator 6.x
symptom
Different results are returned when retrieving group membership, using the web console, versus using the Directory and Resource Administrator ADSI provider.
cause
This is by design.
fix
The discrepancy is that the Active Directory property "memberof", which the DRA ADSI provider returns, does not return the primary group. In addition it also does not return group memberships from trusted NT4 domains. This is the same behavior that you would see using the LDAP provider.
Below are some sample methods using vbs. The first type is what is returning the 'MemberOf' property and willl only return memberships in the current domain. The second will use Directory and Resource Administrator (DRA) to calculate the correct group memberships. The second method is similar to what the Web console does.
set user = GetObject("OnePoint://cn=dep1,ou=testou2,dc=schwamx-dom,dc=houston,dc=netiq,dc=local")
type1
type2
sub type1()
memberOf = user.Get("memberOf")
WScript.Echo Cstr(VarType(memberof))
if(varType(memberof) = 8204) then
for each x in memberOf
WScript.Echo CStr(x)
next
else
WScript.Echo memberOf
end if
end sub
sub type2()
for each grp in user.Groups()
WScript.Echo grp.Get("$McsPath")
next
end sub