I actually tried option 2 using the GC port assuming that it would do the trick and it didn't seem to.
Basically here's how I did it using System.DirectoryServices ( we're not all cool enough to use the msldap win32 api ;-) ) Step 1: Get a DC from every domain in the forest. Step 2: Get the user from each DC using "GC://dcX.net/CN=user,DC=net" Step 3: Combine token groups into one string[] (throwing away any duplicates obtained from referrals). Now it's entirely possible that this is the way to do it and my code has a bug ( shocking :-) ). I actually thought this was the way to go and was a bit surprised with the results. I'll take a closer look at my code and see what's going on. As always, much appreciated. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment. 2. Request tokengroups from a DC of every other domain that is also a GC. If you request the user object on the LDAP port you are just going to get referred back to a DC for the user's domain, you must request it through the GC port. If one or more of the foreign domains doesn't have a GC, you will not be able to use this method at all. You will have to do a recursive enumeration of the member attributes. Thankfully this is much faster in ADAM and K3 than it was in 2K due to the use of the implicit indexing of linked attributes. #2 is why I have continuously asked MSFT to give us more DNS records that the DCs register so I can easily ask for a GC of domain X instead of just any GC in the forest. GCs are not created equal, due to implementation details, they can and do give out different info (and have different capabilities) for different objects depending on how they are asked. Just as the Exchange Dev guys. <eg> joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, May 26, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] tokenGroups field I'm back with another development question ;-) Quick background: I've recently started using the tokenGroups field in AD in order to determine group membership of a user. I just convert the byte array to a string. I found that this is faster than doing a recursive LDAP enumeration because it's one query. I noticed that the tokenGroups field does not contain groups from other domains (except for the builtin groups). So if I need to validate that userA in DomainA belongs to a group in DomainB tokenGroups won't cut it. I tried connecting to a DC in DomainB and getting the tokenGroups for userA but ended up with the same result. So my question is does anyone know of a way I can use tokenGroups to get the membership info for every domain? Thanks! _________________________________ Joseph Isenhour List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx