Unable to list any users from the default "domain users" group in vIDM
search cancel

Unable to list any users from the default "domain users" group in vIDM

book

Article ID: 410677

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • After a directory is configured in vIDM, when trying to add the default "domain users" group in Windows Active Directory to the sync settings, no users are listed once the sync is completed.

  • We observer no errors in the sync logs on vIDM.

  • Checking the /opt/vmware/horizon/workspace/logs/connector-dir-sync.log in vIDM node these messages are observed

    2025-09-16T11:14:27,558 INFO  (resourceSyncTaskExecutor-3) [;;;] com.vmware.horizon.directory.ldap.LdapConnector - Starting LDAP Query: Host: ldap://ad_fqdn:389 PageSize - 1000 SearchDN - distinguishedName=DC=domain,DC=doomain SearchFilter - (&(objectCategory=group)(distinguishedName=CN=Domain Users,CN=Users,DC=domain,DC=name)) Scope - 2
    2025-09-16T11:14:27,561 INFO  (resourceSyncTaskExecutor-3) [;;;] com.vmware.horizon.directory.ldap.LdapConnector - Query Completed for SearchDN - DC=domain,DC=name SearchFilter - (&(objectCategory=group)(distinguishedName=CN=Domain Users,CN=Users,DC=domain,DC=name))
    2025-09-16T11:14:27,562 INFO  (resourceSyncTaskExecutor-4) [;;;] com.vmware.horizon.directory.ldap.LdapResolveMembershipsServiceV2 - ******** Total Time taken to Load Users using Looping mechanism: 0 msec
    2025-09-16T11:14:27,562 INFO  (Thread-7503) [VIDM01;admin@VIDM01;127.0.0.1;] com.vmware.horizon.dirsync.SyncController - ========== BEGIN SYNC [dry run] ==========
    2025-09-16T11:14:27,562 INFO  (Thread-7503) [VIDM01;admin@VIDM01;127.0.0.1;] com.vmware.horizon.dirsync.SyncController - Source directory poll found 1 objects.
    2025-09-16T11:14:27,562 INFO  (Thread-7503) [VIDM01;admin@VIDM01;127.0.0.1;] com.vmware.horizon.dirsync.SyncController - GROUP #######-####-####-####-############### (Domain Users) - 0 member(s)
    2025-09-16T11:14:27,583 INFO  (Thread-7503) [VIDM01;admin@VIDM01;127.0.0.1;] com.vmware.horizon.dirsync.SyncController - Target directory poll found 0 objects.
    2025-09-16T11:14:27,583 INFO  (Thread-7503) [VIDM01;admin@VIDM01;127.0.0.1;] com.vmware.horizon.dirsync.SyncController - Sync will result in 1 user/group change and 0 group memberhship changes and 0 group parent changes to Horizon.
    2025-09-16T11:14:27,583 INFO  (Thread-7503) [VIDM01;admin@VIDM01;127.0.0.1;] com.vmware.horizon.dirsync.PushEngine - DRY-RUN    CREATE GROUP Domain Users (######-####-####-####-##########)
    2025-09-16T11:14:27,583 INFO  (Thread-7503) [VIDM01;admin@VIDM01;127.0.0.1;] com.vmware.horizon.dirsync.SyncController - =========== END SYNC [dry run] ===========
    2025-09-16T11:14:27,583 INFO  (Thread-7503) [VIDM01;admin@VIDM01;127.0.0.1;] com.vmware.horizon.dirsync.SyncController - StopWatch 'Directory Sync time for dry run': running time = 34322008 ns

  • When adding another group and performing a sync, uses will show membership for the new group and the "domain users" group as well but if "domain users" is the only group added no users are detected.

Environment

vIDM 3.3.7

Cause

  • This behavior is expected due to how AD represents default groups. "Domain Users" is a default AD group linked via primaryGroupID, not memberOf. vIDM syncs users based on memberOf, so it can't detect users in "Domain Users" when it's the only group added.

  • When another group is added (with explicit memberOf links), vIDM syncs users and then retroactively shows their "Domain Users" membership.

 

Resolution

Create a custom group with the required users as members and add it to the sync settings under groups for the required directory.

Powered by Wolken Software