Dmitri I told you that you where a folk hero ;-)
Joe did i read right(Erics blog)? Eric is now working for the Windows Live group. Eric congrats i hope it goes well :-D Carlos -----Original Message----- From: "joe" <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: 29/05/2006 06:37 Subject: RE: [ActiveDir] tokenGroups field Excellent thanks Dmitri. The three attributes are tokenGroups tokenGroupsGlobalAndUniversal tokenGroupsNoGCAcceptable To the list denizens, Dmitri is one of those people like ~Eric and our local garage door operator that you really really want to listen to. I think this is the first time I have seen him posting here which is great. You will usually find him in the MSFT newsgroups answering the really hard AD and ADAM questions that the rest of us are guessing on. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Saturday, May 27, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field TokenGroups does talk to a GC, if the current DC is not a GC itself. Basically, that's the reason we disallow one-level and subtree searches hitting tokenGroups (so that we don't overload the DC -- it is an expensive call). You will get different results depending on which DC you are connected to, because the results include local groups. If you want consistent results, read tokenGroupsGlobalAndUniversal -- that will return the same result no matter which DC you are connected to. However, it will not include local groups. If you want to avoid the GC call, then call tokenGroupsNoGcAvailable (or something like this, sorry, forgot the exact name -- check in the schema) -- this one will give you local info without talking to the GC, but then you've got what you've got. Dmitri -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field > nah-ah. would have to hit a GC to get those. Thanks for responding Deji. Good guess, 50/50 shot at it[1]. Unfortunately you are incorrect. :) I had a feeling but wasn't positive when I wrote that response so I made it clear that I wasn't sure and that I needed to test it (that was the part you snipped). Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab. I thought it worked that way as I recalled chasing the source path and actually seeing it. I wanted to understand why the three tokengroups attributes were the only ones you had to use a BASE query for. In the source I finally chased through all of the nested calls and got to the [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
