Retrieve members of group in Active Directory

Similar Messages

• Cannot retrieve Members of Group

  Hi ,
  I am new to Active Directory. I have the following code to retrieve members of a group (in Active Directory) which does not work.
  InitialLdapContext ctx = null;
  String[] MY_ATTRS = attr.split(",");
  SearchControls constraints = new SearchControls();
  constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
  constraints.setReturningAttributes(MY_ATTRS);
  ctx.search("DC=nam,DC=corp,DC=mg,DC=com", "(memberOf=OU=Moved IDs,OU=People,OU=Common,OU=ME,OU=BP,OU=USA,DC=nam,DC=corp,DC=mg,DC=com)", constraints);
  (does not work)
  However, we have another group as follows and it works.
  CN=NAMMEMovedIDs,OU=SG,OU=Process,OU=Common,OU=ME,OU=BP,OU=USA,DC=nam,DC=corp,DC=mg,DC=com
  ctx.search("DC=nam,DC=corp,DC=mg,DC=com", "(memberOf=CN=NAMMEMovedIDs,OU=SG,OU=Process,OU=Common,OU=ME,OU=BP,OU=USA,DC=nam,DC=corp,DC=mg,DC=com)", constraints);
  (works)
  I am not sure what is the difference between OU and CN groups ? Why am I not able to retrieve members of OU ? Any ideas please.
  Thanks

  I was able to retrieve Members of Group using the following code.
  SearchControls constraints = new SearchControls();
  constraints.setSearchScope (SearchControls.SUBTREE_SCOPE);
  NamingEnumeration results = ctx.list("OU=ME,OU=BP,OU=USA,DC=nam,DC=corp,DC=mg,DC=com");
  // List users
  while (results.hasMore())
  NameClassPair ncp = (NameClassPair) results.next();
  String userName = ncp.getName();
  System.out.println("User: "+userName);
  }

• Create a new group in Active Directory ?

  Hello,
  I'd like to create a new group in Active Directory. Can somebody show me a sample code please ?
  Thanks.

  Someone should show you how to perform a search. There's a sample in this forum.
  http://forums.sun.com/thread.jspa?threadID=623860

• Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

  Hi!!
  We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
  I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
  Thanks and regards!!

  Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

• Could we have same name's for User and Groups in Active directory

  When iam trying to create a user name " Logistics " under a OU, I am getting a error
  "The pre-windows 2000 logon name you have chosen is already in use in this domain. Choose  aother pre-windows logon name, and then try again"
  We already have a group by the name " Logistics "
  Could we have same name's for User and Groups in Active directory?
  Thanks in Advance

  sAMaccountName attribute is unique. So, the short answer is you cannot.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• "Domain Users" group in Active Directory does not belong to any Group Membership in LC

  Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
  Any way to correct this issue, without changing group membership on AD side?
  If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
  Thanks.

  If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
  Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed.

• Creating management accounts for protected accounts and groups in Active Directory

  I'm following step-by-step instruction for creating management accounts for protected groups that I found in Microsoft book "Best Practise for Securing Active Directory", published april 2013.
  What is confusing me is the "Enabling management accounts to modify the membership of protected groups" step. When I use DSACLS command:
  Dsacls "CN=AdminSDHolder,CN=System,DC=MyDomain,DC=com"/G
  [email protected]:RPWP;member
  what I have to type insted of "member".
  When I use previous command with simple "member" at the end I dont get this:
  Verify that the account has been granted only Read Members and
  Write Members permissions on the DA group, and click OK.
  My account have flag on all properties.
  I hope You understand me.

  The last field is for the attribute to delegate. You can read about it here: https://technet.microsoft.com/en-us/library/cc772662%28v=ws.10%29.aspx
  You can also refer to this for updating AdminSDHolder container: http://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• DBMS_LDAP adding user to security group on Active Directory

  Hi forum members,
  I am accessing and manipulating Active Directory using the DBMS_LDAP package and its API's.
  My initial code is to add a new entry in our MUsers group.After establishing the session and binding it , I supply the required credentials and the user , ex: 366944 is created successfully in the MUsers group which is a global users group.
  My package then calls another function to now add the same user to the MGroups group and under that the Researcher security group.
  When I do a search on the "Researcher" group this is the result : (I have deleted a few irrelevant entries)
  ATTIBUTE_NAME: objectClass = top
  ATTIBUTE_NAME: objectClass = group
  ATTIBUTE_NAME: cn = Researcher
  ATTIBUTE_NAME: member = CN=3,OU=MUsers,DC=xxx,DC=yyy
  ATTIBUTE_NAME: member = CN=2,OU=MUsers,DC=xxx,DC=yyy
  ATTIBUTE_NAME: member = CN=1,OU=MUsers,DC=xxx,DC=yyy
  ATTIBUTE_NAME: distinguishedName =
  CN=Researcher,OU=MGroups,DC=xxx,DC=yyy
  ATTIBUTE_NAME: instanceType = 4
  ATTIBUTE_NAME: whenCreated = 20100315150614.0Z
  ATTIBUTE_NAME: whenChanged = 20100322172413.0Z
  ATTIBUTE_NAME: uSNCreated = 97190
  ATTIBUTE_NAME: uSNChanged = 102960
  ATTIBUTE_NAME: name = Researcher
  ATTIBUTE_NAME: objectGUID = ?P??|F?
  ?Q?'
  ATTIBUTE_NAME: objectSid =
  ATTIBUTE_NAME: sAMAccountName = $1B1000-EVVA2O0MRRBE
  ATTIBUTE_NAME: sAMAccountType = 268435456
  ATTIBUTE_NAME: groupType = -2147483646
  ATTIBUTE_NAME: objectCategory =
  CN=Group,CN=Schema,CN=Configuration,DC=xxx,DC=yyy
  My add_in_group function is : (I am hardcoding certain values for simplicity)
  FUNCTION add_in_group
  (ldap_session dbms_ldap.SESSION
  RETURN PLS_INTEGER
  IS
  lv_vals dbms_ldap.string_collection;
  lv_array dbms_ldap.mod_array;
  ln_retval PLS_INTEGER;
  l_group VARCHAR2(256);
  BEGIN
  -- Initialize the varray for the modify command
  lv_array := dbms_ldap.create_mod_array(10);
  IF lv_array = NULL THEN
  dbms_output.put_line('Error add_in_group: lv_array not initialized.');
  NULL;
  END IF;
  dbms_output.put_line ('lv_array successfully initialized');
  -- Populate the varray
  lv_vals(1) := 'CN=366944,OU=MUsers,DC=xxx,DC=yyy';
  dbms_ldap.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'member',lv_vals);
  --Populate the object class variables
  lv_vals(1) := 'group';
  BEGIN
  DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
  EXCEPTION
  WHEN OTHERS THEN
  DBMS_OUTPUT.PUT_LINE('Populating object classes failed');
  END;
  --BEGIN
  -- Group Modification
  l_group := 'cn=Researcher,OU=Mgroups,DC=xxx,DC=yyy';
  BEGIN
  ln_retval := dbms_ldap.modify_s(ldap_session, l_group, lv_array);
  --EXCEPTION
  --WHEN OTHERS THEN
  --dbms_output.put_line ('Error in modify_s ');
  END;
  -- Free the varray
  dbms_ldap.free_mod_array(lv_array);
  RETURN ln_retval;
  EXCEPTION
  WHEN OTHERS THEN
  dbms_output.put_line('add_in_group : '|| SQLCODE||' '||SQLERRM);
  RETURN -1 ;
  END add_in_group;
  My error is :
  ORA-31202: DBMS_LDAP: LDAP client/server error: Already exists. 00000562:
  UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0
  The error descriptions reads like this :
  Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists.
  In this case , I am using the modify_s operation.I am supplying the credentials of the researcher group and trying to set the 'member' attribute as the user already existing in a diff group(MUsers).
  The researcher group already has 3 uers , namely ,1,2 and 3 as members . These users are also part of MUsers group.
  Hence I am not trying to rename any entry to the name of an entry that already exists.
  Any help on this would be appreciated.

  Hi,
  I tried the same code that you have mentioned and did some changes as follows and now able to add members to a group.
  remove the section that contains the following commands, then it will work
  h5. lv_vals(1) := 'group';
  h5. DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
  Thanks & Best Regards,
  Indika

• OIM - Provisioning of a Group to Active Directory

  Hallo,
  When I provision a AD Group resource I get the following exception:
  08/06/02 11:44:40 Running Get Attribute Map
  08/06/02 11:44:40 Running Get Path
  08/06/02 11:44:40 Running Create Group
  ERROR,02 Jun 2008 11:44:41,600,[XL_INTG.ACTIVEDIRECTORY],Problem creating object: javax.naming.directory.InvalidAttributeValueException: [
  LDAP: error code 21 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece^@]; remaining name
  'cn=Xellerate Users'
  I am using the standard form that is provided with the Connector for Microsoft Active Directory 9.0.4.
  Thanks

  The group name wasn't too long. There was a problem in Lookup Definition of the Group Type. I could solve this problem.
  Best regards

• Getting a user's primary group from Active Directory

  I'm coding a java web app that should authenticate a user to Active Directory and return his primary group.
  Using JNDI apis I realized the first part (authentication) and functions well but still having problems with the second part (getting the user's primary group).
  Is there somebody who knows/gets some codes for getting this info from Active Directory using java?
  Thanks a lot.
  Regards.
  John.

  I'm coding a java web app that should authenticate a user to Active Directory and return his primary group.
  Using JNDI apis I realized the first part (authentication) and functions well but still having problems with the second part (getting the user's primary group).
  Is there somebody who knows/gets some codes for getting this info from Active Directory using java?
  Thanks a lot.
  Regards.
  John.

• Strange DNS, Group Policy & Active Directory Issues - Can't track down root issue!

  For the last few weeks, we've been getting complaints, from our developers, about not being able to authenticate on various systems.  The issues were hit & miss but still problematic enough to warrant our looking into it.  It seems to be getting
  worse...  I now have new servers that aren't getting group policy updates.  They may get some, like the list of local admins but won't pick up NTFS permissions for folder-access.  Those that pick up the AD group full of local admins have trouble
  authenticating members of the group.  Some were showing event log entries regarding authentication issues due to being unable to contact an AD DC.  We reloaded that DC but many of the issues still persist.  At this point, I'm running
  out of places to look for ideas.  I've spent the last week looking up Event Log IDs and looking though their meanings and possible remedies but, again, the issues persist.  It doesn't seem to matter what the OS is.  We've been seeing
  this on 2008, 2008-R2 & 2012-R2.
  Here are some examples of events I'm seeing.  I can't figure out the root cause(s).
  Log Name: Application
  Source: Group Policy Files
  Date: 2/19/2015 2:35:12 PM
  Event ID: 4098
  Task Category: (2)
  Level: Warning
  Keywords: Classic
  User: SYSTEM
  Computer: H2T8-IOLDP1.HOMENET.local
  Description:
  The computer 'uptime.exe' preference item in the 'APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}' Group Policy Object did not apply because it failed with error code '0x80090006 Invalid Signature.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Group Policy Files" />
  <EventID Qualifiers="34305">4098</EventID>
  <Level>3</Level>
  <Task>2</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2015-02-19T19:35:12.000000000Z" />
  <EventRecordID>1871</EventRecordID>
  <Channel>Application</Channel>
  <Computer>H2T8-IOLDP1.HOMENET.local</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>computer</Data>
  <Data>uptime.exe</Data>
  <Data>APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}</Data>
  <Data>0x80090006 Invalid Signature.</Data>
  </EventData>
  </Event>
  Log Name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
  Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
  Date: 2/19/2015 9:38:13 AM
  Event ID: 20499
  Task Category: None
  Level: Warning
  Keywords:
  User: NETWORK SERVICE
  Computer: H2T8-IOLDP1.HOMENET.local
  Description:
  Remote Desktop Services has taken too long to load the user configuration from server \\h2s3-addc1.HOMENET.local for user RSickler
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
  <EventID>20499</EventID>
  <Version>0</Version>
  <Level>3</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x4000000000000000</Keywords>
  <TimeCreated SystemTime="2015-02-19T14:38:13.182363700Z" />
  <EventRecordID>4</EventRecordID>
  <Correlation />
  <Execution ProcessID="1932" ThreadID="2156" />
  <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin</Channel>
  <Computer>H2T8-IOLDP1.HOMENET.local</Computer>
  <Security UserID="S-1-5-20" />
  </System>
  <UserData>
  <EventXML xmlns="Event_NS">
  <ServerName>\\h2s3-addc1.HOMENET.local</ServerName>
  <UserName>RSickler</UserName>
  </EventXML>
  </UserData>
  </Event>
  Note that these servers are sitting in OUs that are full of other servers that don't have these issues.  These GPOs have been in place for years.  I suspect there's a deeper issue with AD, GP or a combination thereof.  The group policy issues
  seem to only affect freshly loaded servers...

  Hello,
  assure that no firewall is blocking connection for AD required ports as listed in
  https://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
  You have error about not connect setup from AD sites and services with the used subnets in your network and linking them to the correct site, please check this in AD sites and services and also have the DCs placed correct to the site they belong to.
  "During the past 4.20 hours there have been 83 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to
  any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet
  object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially,
  in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'.
  The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize';
  the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes."
  This error is about a not run adprep /rodcprep:
  Starting test: NCSecDesc
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
           DC=ForestDnsZones,DC=HOMENET,DC=local
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
  So either run the command on a DC or ignore this error.
  Please provide also the following data as file:
  ipconfig /all >c:\ipconfig.log [all DCs]
  dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
  repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
  dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
  ADREPLSTATUS:
  http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.
  As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!)
  https://skydrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  
  Info you requested:
  ipconfig_dcs.txt
  dcdiag.txt
  repl.log
  dnslint.htm
  ADREPLSTATUS: ADReplicationStatus.2015.2.23.9.21.16.csv ADReplicationStatusToolData.zip

• Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?

  Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
  I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.

  This looks fairly complete
  http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
  Sent from Cisco Technical Support iPad App

• How to add user to one to many groups in Active directory using powershell

  Hi  All
  I am working on a script to create a user and based on user type i would like to add that user into 2 to 3 groups . At the moment i have 3 groups e.g domain users, Developers, tester, 
  $NewUser = Read-Host "New Username"
  $firstname = Read-Host "First Name"
  $Lastname = Read-Host "Last Name"
  $NewName = "$firstname $lastname"
  $Group = "Dev"
  New-ADUser -SamAccountName $NewUser -Name $NewName -GivenName $firstname -Surname $lastname -displayname $Newname -UserPrincipalName $[email protected] -Path "CN=Users,DC=mydomain,DC=local" -AccountPassword (ConvertTo-SecureString -AsPlainText
  "Password" -Force)  -Enabled $true 
  Add-ADGroupMember -Identity $Group  -Members $NewUser
  I am not sure how to give user(sys admin) this option of choosing 1 or more groups while creating new user

  modified this line Add-ADGroupMember
  -Identity ([string]$h[$group])
  -Members
  $NewUser
  and
  now getting the error message Add-ADGroupMember : Cannot find
  an object with identity: '' under: 'DC=mydomain,DC=local

• Updating groups in Active Directory LDAP

  Hi,
  We are making use of the LDAPResourceAdapter to manage user information present in AD.
  To manage group membership, the resource schema contains mapping of Identity System user attribute to the 'ldapGroups' resource attribute and the Group Member Attr is set to 'member'.
  A user form with multi-select component is used to manage group membership. There are no issues while associating a user with a new group, however we are not able to de-link users from their existing groups.
  I thought, Identity Manager will perform a difference between old values and new values of group membership and accordingly update the resource groups. But this doesn't happen and the documentation is silent on how group updates are handled.
  Also in the confirmation page that shows up during the update operation, the old values column does not contain existing group DNs. All group DNs appear under the new value column.
  Has anyone encountered this problem?
  What is the recommended approach for resolving this issue and successfully performing group updates?
  TIA,
  Chetan.

  Hi,
  I have done a similar thing (but using iPlanet ldap) and the group
  memberships deleted OK.
  One thought is that the adapter may be configured to ignore delete
  operations. You can check this by running the resource wizard
  and stepping through until the last page. There is an item called
  "Account Feature Configuration".
  By the way, you say
  "de-link", but as I understand it,
  IDM only maintains "linkage" to a resource account,
  for example LDAP. A group membership is a "resource object",
  which is part of a resource account. Resource objects (groups
  in your case) can only be created/deleted, not de-linked.
  Another thought:
  It could be the following is happening.
  1: The user is associated with a group and the group membership is created on the resource.
  2: The Identity System user attribute that maps to ldapGroups
  is NOT being stored.
  3: The next time an update occurs, the old value is empty and the new
  value contains the groups, calculated from the form.
  4: IDM attempts to re-create the group membership on AD.
  So, even if you try to delete them, the just continue to reappear.
  Can you determine if the DNs of the groups are actually being
  stored?
  I had a similar problem. my Identity System user attribute
  that mapped onto ldapGroups was also called ldapGroups.
  I renamed it to myLdapGroups and used global.myLdapGroups
  in my forms (not nice, I know). This solved the problem for me.
  Hope this helps,
  Please post when you find an answer.

• Nested groups with Active Directory AWS

  Hi... am trying to target only specific groups from our AD, but I'd rather not have to use the partial users & groups sync as this would mean re-configuring the auth source for any new group that we want to bring in to the portal (v.5.0.2).
  I am able to target a specific part of AD in the following way:
  User Query Base : OU=Portal Users,DC=Domain1, DC=DOmain2
  User Query Filter: (&(objectclass=user)(memberOf=*))
  Group Query Base : OU=Portal Users,DC=Domain1, DC=DOmain2
  Group Query Filter: (objectclass=Group)
  This works fine, it brings in the groups in the "Portal Users" OU and any users in the OU who have group memberships. However, not all groups and users will exist in a single OU, so we decided to create a global group called "Portal Groups" and tried a similar query as above but with the query base replaced as follows:
  VN=Portal Groups,OU=Applications,DC=Domain1, DC=DOmain2
  This time... the group is brought in but no nested groups and no users! Has anyone else managed to accomplish an AWS setup of this sort or similar? I'm told that it is possible to sync in nested groups but being unfamiliar with AD I'm not sure if I've gone about it the right way.
  thanks in advance
  Simon Dragicevich

  Hi Simon,
  So let me make sure I've got your usecase.  You want to only create particular groups in the portal - you don't want all your AD groups in the portal.  You DO want all your users imported and to have them in the appropriate groups?
  If that's correct - you either want to play with your query bases, or you want to switch to a partial GROUP sync.  The former will allow you to automatically bring in new groups as they are added to AD, the later will not.
  One thing I was confused about in your original post - did you change both the user query base and the group query base to:
  VN=Portal Groups,OU=Applications,DC=Domain1, DC=DOmain2
  or just the group query base?  Assuming you did the former, that would explain why your users weren't imported.  If you did the later - that seems odd.  Regardless you don't want to create a global group, you want to create a new OU:
  OU=Portal Groups, OU=Applications, DC=Domain1, DC=Domain2
  Then set that as your group query base.  Assuming you have a bunch of groups scattered around your tree that you want in here, create shadow groups that essentially contain your other groups, e.g.:
  CN=GroupA, DC=Plumtree
  CN=GroupB, OU=Eng, DC=Plumtree
  I want both of those groups to be in my portal groups OU, so I create two new groups in my portal groups OU as follows:
  CN=GroupA, OU=Portal Groups, OU=Applications, DC=Domain1, DC=Domain2
  CN=GroupB, OU=Portal Groups, OU=Applications, DC=Domain1, DC=Domain2
  Both of these groups simply contain one member - the groups I am shadowing.  You can also more effectively deal with name clashing if you use this strategy.
  Make sense?
  -Aki