Active Directory Group Synchronization - missing members

Version 1

    I thought sharing my recent experience on this topic and what worked for us can be useful to someone else.

     

    We are using the Active Directory group synchronization process and it works pretty well, for most part.

     

    The problem: We had this "mysterious" condition on some imported and synchronized AD groups that not all members of some AD groups were showing up. In one specific example, only 38 of the 44 members shows up. All 44 shows up as members when viewed and queried with standard Windows tools and commands.

     

    The solution: I'll spare you the details of the troubleshooting we went through as it involved running scripts to query the group and user attributes, but the problem discovered and the solution was simple. It turns out that when an Active Directory user's "PrimaryGroup" attribute is set to other than "Domain Users"  (e.g. CN=Domain Users,CN=Users,DC=yourdomain,DC=com) the query to the directory to find the members excludes them from the list.  We were able to replicate the problem with a VBScript so this is NOT a Tableau issue per se.

     

    The users PrimaryGroup must be set to Domain Users group regardless that they are already a member of that group.