I have the following scenario.
I recently installed a fresh Windows Server 2019 with Active Directory Domain Services enabled. So far so good.
I have user accounts in my active directory.
I have groups in my active directory.
I then use an LDAP Python library ldap3 to add a user to a group:
def add_group_members(ldap_host, ldap_domain, ldap_user, ldap_password, group_dn, members):
tls_configuration = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1)
server = Server(ldap_host, use_ssl=True, get_info=ALL, tls=tls_configuration)
conn = Connection(server, user="{}\\{}".format(ldap_domain, ldap_user), password=ldap_password, authentication=NTLM)
conn.bind()
conn.modify(group_dn, {'member': [(MODIFY_ADD, members)]})My user now has a memberOf attribute with the DN of the group.
And my group has a member attribute with the DN of the user. Great.
Now I remove the user from the group:
def remove_group_members(ldap_host, ldap_domain, ldap_user, ldap_password, group_dn, members):
tls_configuration = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1)
server = Server(ldap_host, use_ssl=True, get_info=ALL, tls=tls_configuration)
conn = Connection(server, user="{}\\{}".format(ldap_domain, ldap_user), password=ldap_password,
authentication=NTLM)
conn.bind()
conn.modify(group_dn, {'member': [(MODIFY_DELETE, members)]})The group and user object no longer have memberOf or member attributes as expected.
The group object's whenChanged is modified with the timestamp of when the group membership of the user changed.
But the user's whenChanged attribute is *not* modified.
This did not seem to be how Active Directory worked on my previous Windows Server 2016 setup.
The user object did change. The memberOf was removed. I expect the whenChanged to be updated to respect that.
Why am I seeing this behavior?