>>>but I think that will get the Universals from other domains as well nah-ah. would have to hit a GC to get those. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to.
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com> - we know IT www.akomolafe.com <http://www.akomolafe.com> Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/26/2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment. 2. Request tokengroups from a DC of every other domain that is also a GC. If you request the user object on the LDAP port you are just going to get referred back to a DC for the user's domain, you must request it through the GC port. If one or more of the foreign domains doesn't have a GC, you will not be able to use this method at all. You will have to do a recursive enumeration of the member attributes. Thankfully this is much faster in ADAM and K3 than it was in 2K due to the use of the implicit indexing of linked attributes. #2 is why I have continuously asked MSFT to give us more DNS records that the DCs register so I can easily ask for a GC of domain X instead of just any GC in the forest. GCs are not created equal, due to implementation details, they can and do give out different info (and have different capabilities) for different objects depending on how they are asked. Just as the Exchange Dev guys. <eg> joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, May 26, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] tokenGroups field I'm back with another development question ;-) Quick background: I've recently started using the tokenGroups field in AD in order to determine group membership of a user. I just convert the byte array to a string. I found that this is faster than doing a recursive LDAP enumeration because it's one query. I noticed that the tokenGroups field does not contain groups from other domains (except for the builtin groups). So if I need to validate that userA in DomainA belongs to a group in DomainB tokenGroups won't cut it. I tried connecting to a DC in DomainB and getting the tokenGroups for userA but ended up with the same result. So my question is does anyone know of a way I can use tokenGroups to get the membership info for every domain? Thanks! _________________________________ Joseph Isenhour List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx