Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains.
So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting here. The net result is the same base LDAP query you'd do in any other language. DLGs from multiple domains are not easy to get and there seems to be no really easy way to do it. The UGs and GGs from the user's home domain should always be there with tokenGroups though. We kind of glossed this over in our book, although our tokenGroups samples are pretty good otherwise. Ryan showed three different methods for converting the SIDs back into friendly names, which could help a lot of people. Joe K. ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org> Sent: Friday, May 26, 2006 8:32 PM Subject: RE: [ActiveDir] tokenGroups field > Something could be happening under the covers for you by NET or ADSI. JoeK > could probably help there. However hitting a GC in each domain should do > it. > The main thing it is going to get you if it wasn't clear in the response > to > Deji is the domain local groups in the foreign domains. Obviously the user > couldn't be in GGs in other domains and UGs would be handled by hitting > the > default DC for the user assuming you aren't in mixed mode. > > You may want to use adfind to look at the results from each of the > domains. > With the new -resolvesids switch the tokenGroups attribute gets a nice > resolved output which is nice.... > > > > joe > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
