I'm using 1.1. I actually wrote a bunch of interop code so that I can use most of the DS services (DSGetDCName, DSGetSite, Etc) as .Net objects. Nice to know I could have just upgraded to .Net 2.0 ;-)
Thanks for the info -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, May 31, 2006 5:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I was going to say the same thing. Also, if you are using .NET 2.0, the new S.DS.ActiveDirectory namespace has tons of cool ways to enumerate domains in a forest, DCs in a domain (and by site), etc. The domain enumeration code uses very similar LDAP searches under the hood. The DC enumeration stuff uses the locator service (DsGetDcName, etc.). Joe Kaplan ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org> Sent: Wednesday, May 31, 2006 6:06 PM Subject: RE: [ActiveDir] tokenGroups field > Does this rate as cooler? > > > (&(objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) > > > In adfind, you would do something like > > adfind -config -rb cn=partitions -bit -f > "&(objectcategory=crossRef)(systemflags:AND:=2)" -flagdc ncname > systemflags > > > > F:\DEV\cpp\MemberOf>adfind -config -rb cn=partitions -bit -f > "&(objectcategory=crossRef)(systemflags:AND:=2)" -flagdc ncname > systemflags > > AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 > > Transformed Filter: > &(objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) > Using server: 2k3dc02.joe.com:389 > Directory: Windows Server 2003 > Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com > > dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com >>nCName: DC=joe,DC=com >>systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] > > dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com >>nCName: DC=child1,DC=joe,DC=com >>systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] > > > 2 Objects returned > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph > Sent: Wednesday, May 31, 2006 12:18 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] tokenGroups field > > Thanks Joe, > > That's a little bit further than I want to go ;-) > > I wrote a GetMemberShip( DirectoryEntry ) method that finds all the > domains in the forest and then connects to a GC in each and grabs > tokenGroups for each and combines them into one string[] > > That seems to work fine ( until the day when we have a large number of > domains :-o ). > > Speaking of enumerating the domains in the forest, I'm enumerating the > domains by connecting to: > CN=Partitions,CN=Configuration,DC=forestroot,DC=net > > Then I throw away the schema, config, and DNS partitions. That seems to > work fine until the day we start using application partitions in which > case I will have no way of distinguishing a security enabled partition > from the application partition. > > Is there a cooler way to enumerate the domain partitions in a forest? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, May 30, 2006 6:46 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] tokenGroups field > > The membership of groups is handled in a "special" way. > > Although the member attribute is marked for PAS inclusion only UG > membership > is replicated outside of a domain to all GCs. > > If you aren't worried about token creation for Windows security and > instead > just want to have full membership of a user in a single query you have > two > options that I can think of > > 1. Consolidate the group membership into another store, say ADAM or SQL > Server. > > 2. Create another linked attribute pair that you apply to users and > groups > like member/memberof that is set for PAS inclusion. When you set the > member > attribute you set the additional attribute which will replicate to all > GCs > because the directory doesn't have any special rules for your custom > attribute. If you go that far, I would also set that new attribute to be > saved on tombstone as well. :) > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > Joseph > Sent: Tuesday, May 30, 2006 9:22 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] tokenGroups field > > Thanks, that's pretty much what I figured. > > So this is of low importance, but why wouldn't any GC in the forest be > able to provide me with the local groups for all of the domains? Why do > I have to hit a GC in every domain? As I understand it the GC > replicates the data from each domain that is marked for the partial > attribute set. > > Like I said, really low importance, I'm just curious. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, May 30, 2006 4:41 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] tokenGroups field > > Your token only contains groups that are valid locally. So if you log > onto a > workstation that is part of a forest, your token on the worksation will > contain Univeral groups of the forest, global groups from the local > domain, > domain local groups from the local domain (assuming native mode) and > local > groups from the local machine. Take a look at whomami /groups or sectok > to > see your interactive token. > > Now if you connect to a remote machine, you will get the groups that > have > value there on your token on that remote machine. This is easiest to see > with ADAM, connect to an ADAM instance and pull the rootdse attribute > tokengroups and look at what is returned... > > adfind -h adammachine:port -rootdse -resolvesids tokengroups > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > Joseph > Sent: Tuesday, May 30, 2006 7:27 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] tokenGroups field > > Yep your examples are helpful, that's what I'm using :-) > > It looks like hitting a GC for each domain in the forest is the way to > go in order to get the local group membership from other domains. > > So just out of curiosity, when Windows builds your token, does it > include the local groups from other domains? Or does it add them when > you try to access a resource that is protected by the foreign group? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan > Sent: Sunday, May 28, 2006 9:55 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] tokenGroups field > > I've been checked out of the group here for a few weeks and just poked > back > in. I think Dmitri summed things up quite well. I'll just add that > ADSI > and S.DS don't do anything interesting here. The net result is the same > > base LDAP query you'd do in any other language. > > DLGs from multiple domains are not easy to get and there seems to be no > really easy way to do it. The UGs and GGs from the user's home domain > should always be there with tokenGroups though. > > We kind of glossed this over in our book, although our tokenGroups > samples > are pretty good otherwise. Ryan showed three different methods for > converting the SIDs back into friendly names, which could help a lot of > people. > > Joe K. > > ----- Original Message ----- > From: "joe" <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Friday, May 26, 2006 8:32 PM > Subject: RE: [ActiveDir] tokenGroups field > > >> Something could be happening under the covers for you by NET or ADSI. > JoeK >> could probably help there. However hitting a GC in each domain should > do >> it. >> The main thing it is going to get you if it wasn't clear in the > response >> to >> Deji is the domain local groups in the foreign domains. Obviously the > user >> couldn't be in GGs in other domains and UGs would be handled by > hitting >> the >> default DC for the user assuming you aren't in mixed mode. >> >> You may want to use adfind to look at the results from each of the >> domains. >> With the new -resolvesids switch the tokenGroups attribute gets a nice >> resolved output which is nice.... >> >> >> >> joe >> >> >> > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
