TokenGroups does talk to a GC, if the current DC is not a GC itself. Basically, that's the reason we disallow one-level and subtree searches hitting tokenGroups (so that we don't overload the DC -- it is an expensive call). You will get different results depending on which DC you are connected to, because the results include local groups.
If you want consistent results, read tokenGroupsGlobalAndUniversal -- that will return the same result no matter which DC you are connected to. However, it will not include local groups. If you want to avoid the GC call, then call tokenGroupsNoGcAvailable (or something like this, sorry, forgot the exact name -- check in the schema) -- this one will give you local info without talking to the GC, but then you've got what you've got. Dmitri -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field > nah-ah. would have to hit a GC to get those. Thanks for responding Deji. Good guess, 50/50 shot at it[1]. Unfortunately you are incorrect. :) I had a feeling but wasn't positive when I wrote that response so I made it clear that I wasn't sure and that I needed to test it (that was the part you snipped). Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab. I thought it worked that way as I recalled chasing the source path and actually seeing it. I wanted to understand why the three tokengroups attributes were the only ones you had to use a BASE query for. In the source I finally chased through all of the nested calls and got to the point where it looked like it would call out to a GC for expansion if needed which answered that question pretty well (been a while since I looked at it, I should go peek again). Basically the intent is that the value of the attribute should be what would be generated for your logon token. > wrt #2, any GC should be able to hand out the UG info in the forest. > So, by hitting a GC in a domain local to the account, we should be > able to retrieve the domain local, global and universal groups the > account belongs to. For that domain only.... The OP's question was about getting memberships from other domains which is fine if all other memberships are only UGs. That won't catch DLGs however. And as corrected above, you don't have to hit a GC in the default domain, any DC will do as the token expansion will be handled just like it is for auth. joe [1] Well not really I was about 72.6022% sure it would work so lets say you had about a 5% chance of being right. ;o) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 26, 2006 6:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field >>>but I think that will get the Universals from other domains as well nah-ah. would have to hit a GC to get those. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com> - we know IT www.akomolafe.com <http://www.akomolafe.com> Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/26/2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment. 2. Request tokengroups from a DC of every other domain that is also a GC. If you request the user object on the LDAP port you are just going to get referred back to a DC for the user's domain, you must request it through the GC port. If one or more of the foreign domains doesn't have a GC, you will not be able to use this method at all. You will have to do a recursive enumeration of the member attributes. Thankfully this is much faster in ADAM and K3 than it was in 2K due to the use of the implicit indexing of linked attributes. #2 is why I have continuously asked MSFT to give us more DNS records that the DCs register so I can easily ask for a GC of domain X instead of just any GC in the forest. GCs are not created equal, due to implementation details, they can and do give out different info (and have different capabilities) for different objects depending on how they are asked. Just as the Exchange Dev guys. <eg> joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, May 26, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] tokenGroups field I'm back with another development question ;-) Quick background: I've recently started using the tokenGroups field in AD in order to determine group membership of a user. I just convert the byte array to a string. I found that this is faster than doing a recursive LDAP enumeration because it's one query. I noticed that the tokenGroups field does not contain groups from other domains (except for the builtin groups). So if I need to validate that userA in DomainA belongs to a group in DomainB tokenGroups won't cut it. I tried connecting to a DC in DomainB and getting the tokenGroups for userA but ended up with the same result. So my question is does anyone know of a way I can use tokenGroups to get the membership info for every domain? Thanks! _________________________________ Joseph Isenhour List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
