>>>but I think that will get the Universals from other domains as
well
nah-ah. would have to hit a GC to get those.
wrt #2, any GC should be able to hand out the UG info in the forest. So, by
hitting a GC in a domain local to the account, we should be able to retrieve
the domain local, global and universal groups the account belongs to.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.readymaids.com <http://www.readymaids.com> - we know IT
www.akomolafe.com <http://www.akomolafe.com>
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 5/26/2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
Not in a single call no... You would need to
1. Request tokengroups from a DC of the default domain for the user, I am
not sure, but I think that will get the Universals from other domains as
well, but possibly you have to hit a GC of the default domain. I would have
to check it and can't at the moment.
2. Request tokengroups from a DC of every other domain that is also a GC. If
you request the user object on the LDAP port you are just going to get
referred back to a DC for the user's domain, you must request it through the
GC port. If one or more of the foreign domains doesn't have a GC, you will
not be able to use this method at all. You will have to do a recursive
enumeration of the member attributes. Thankfully this is much faster in ADAM
and K3 than it was in 2K due to the use of the implicit indexing of linked
attributes.
#2 is why I have continuously asked MSFT to give us more DNS records that
the DCs register so I can easily ask for a GC of domain X instead of just
any GC in the forest. GCs are not created equal, due to implementation
details, they can and do give out different info (and have different
capabilities) for different objects depending on how they are asked. Just as
the Exchange Dev guys. <eg>
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Friday, May 26, 2006 4:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] tokenGroups field
I'm back with another development question ;-)
Quick background: I've recently started using the tokenGroups field in
AD in order to determine group membership of a user. I just convert the
byte array to a string. I found that this is faster than doing a
recursive LDAP enumeration because it's one query.
I noticed that the tokenGroups field does not contain groups from other
domains (except for the builtin groups). So if I need to validate that
userA in DomainA belongs to a group in DomainB tokenGroups won't cut it.
I tried connecting to a DC in DomainB and getting the tokenGroups for
userA but ended up with the same result.
So my question is does anyone know of a way I can use tokenGroups to get
the membership info for every domain?
Thanks!
_________________________________
Joseph Isenhour
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
