Does this rate as cooler?
(&(objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) In adfind, you would do something like adfind -config -rb cn=partitions -bit -f "&(objectcategory=crossRef)(systemflags:AND:=2)" -flagdc ncname systemflags F:\DEV\cpp\MemberOf>adfind -config -rb cn=partitions -bit -f "&(objectcategory=crossRef)(systemflags:AND:=2)" -flagdc ncname systemflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Transformed Filter: &(objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com >nCName: DC=joe,DC=com >systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com >nCName: DC=child1,DC=joe,DC=com >systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] 2 Objects returned -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a "special" way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains. So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting here. The net result is the same base LDAP query you'd do in any other language. DLGs from multiple domains are not easy to get and there seems to be no really easy way to do it. The UGs and GGs from the user's home domain should always be there with tokenGroups though. We kind of glossed this over in our book, although our tokenGroups samples are pretty good otherwise. Ryan showed three different methods for converting the SIDs back into friendly names, which could help a lot of people. Joe K. ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org> Sent: Friday, May 26, 2006 8:32 PM Subject: RE: [ActiveDir] tokenGroups field > Something could be happening under the covers for you by NET or ADSI. JoeK > could probably help there. However hitting a GC in each domain should do > it. > The main thing it is going to get you if it wasn't clear in the response > to > Deji is the domain local groups in the foreign domains. Obviously the user > couldn't be in GGs in other domains and UGs would be handled by hitting > the > default DC for the user assuming you aren't in mixed mode. > > You may want to use adfind to look at the results from each of the > domains. > With the new -resolvesids switch the tokenGroups attribute gets a nice > resolved output which is nice.... > > > > joe > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
