Primary Group

Another important concept is the "Primary Group". By default, the "Primary Group" of a user object is the group "Domain Users", but this can be changed. The default "Primary Group" for computer objects is "Domain Computers". There should be no need to change the "Primary Group" unless the network supports Macintosh clients or POSIX-compliant applications. Unfortunately, the LDAP provider does not reveal membership in the "Primary Group" directly, so some IsMember functions have this drawback.

In most cases you can assume that every user is a member of the group "Domain Users", and that every computer is a member of the group "Domain Computers". If this is your situation, there should be no need to test memberships in these groups. If you have users or computers with different "Primary Groups", then you might need to select an IsMember function that reveals membership in the "Primary Group".