On 2012-08-01 10:56:01 +0000, djbrightman said:

> Can someone please suggest a simple way to prevent AD Computer objects
> trying to sync in group membership?
> We have AD-eDir mirror sync, with groups only sync'd in particular
> subtree
> However some of the groups in AD are for computer objects and we can
> see loads of 8003 errors in the publisher channel as it pumps through
> the group membership referring to computer objects that aren't
> sync'd....
> It seems that in certain circumstances the sheer load of this causes
> the remote loader connection to fail....
> (The 'obvious' answer would be to have these groups not in that
> subtree, but the AD design doesn't allow for this and that is in the
> process of becoming the dominant (and eventually sole)
> directory....(eek! ;-))
> Any thoughts or suggestions?
> Cheers
> David

I think this will be difficult to accomplish.
The "AD Computer objects" are defined in AD as:
1.2.840.113556.1.3.30 NAME 'computer' SUP user STRUCTURAL.

So every computer object is also a user object.
The sureest method that I am aware, to determine a user is by the
sAMAccountType value.

Computers are - sAMAccountType: 805306369
Users are - sAMAccountType: 805306368

So short of doing a Query of every member to determine the
sAMAccountType, I know of not other method to do this.


Thank You for your help!

Jim Willeke