RE: [ActiveDir] tokenGroups field
Much cooler ;-) That worked great. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 31, 2006 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Does this rate as cooler? ((objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) In adfind, you would do something like adfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags F:\DEV\cpp\MemberOfadfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Transformed Filter: (objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=child1,DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] 2 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM
RE: [ActiveDir] tokenGroups field
I'm using 1.1. I actually wrote a bunch of interop code so that I can use most of the DS services (DSGetDCName, DSGetSite, Etc) as .Net objects. Nice to know I could have just upgraded to .Net 2.0 ;-) Thanks for the info -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, May 31, 2006 5:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I was going to say the same thing. Also, if you are using .NET 2.0, the new S.DS.ActiveDirectory namespace has tons of cool ways to enumerate domains in a forest, DCs in a domain (and by site), etc. The domain enumeration code uses very similar LDAP searches under the hood. The DC enumeration stuff uses the locator service (DsGetDcName, etc.). Joe Kaplan - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 31, 2006 6:06 PM Subject: RE: [ActiveDir] tokenGroups field Does this rate as cooler? ((objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) In adfind, you would do something like adfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags F:\DEV\cpp\MemberOfadfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Transformed Filter: (objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=child1,DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] 2 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto
RE: [ActiveDir] tokenGroups field
Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains. So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting here. The net result is the same base LDAP query you'd do in any other language. DLGs from multiple domains are not easy to get and there seems to be no really easy way to do it. The UGs and GGs from the user's home domain should always be there with tokenGroups though. We kind of glossed this over in our book, although our tokenGroups samples are pretty good otherwise. Ryan showed three different methods for converting the SIDs back into friendly names, which could help a lot of people. Joe K. - Original Message - From
RE: [ActiveDir] tokenGroups field
Does this rate as cooler? ((objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) In adfind, you would do something like adfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags F:\DEV\cpp\MemberOfadfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Transformed Filter: (objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=child1,DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] 2 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other
RE: [ActiveDir] tokenGroups field
If you are interested in doing this over LDAP, you are on the right track. One way is to look for crossRefs in that container like you are, but only look for those with flag FLAG_CR_NTDS_DOMAIN set in systemFlags. You'll find that config and schema don't have this set, nor do arbitrary app partitions, but domains do. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains. So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting
Re: [ActiveDir] tokenGroups field
I was going to say the same thing. Also, if you are using .NET 2.0, the new S.DS.ActiveDirectory namespace has tons of cool ways to enumerate domains in a forest, DCs in a domain (and by site), etc. The domain enumeration code uses very similar LDAP searches under the hood. The DC enumeration stuff uses the locator service (DsGetDcName, etc.). Joe Kaplan - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 31, 2006 6:06 PM Subject: RE: [ActiveDir] tokenGroups field Does this rate as cooler? ((objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) In adfind, you would do something like adfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags F:\DEV\cpp\MemberOfadfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Transformed Filter: (objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=child1,DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] 2 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull
RE: [ActiveDir] tokenGroups field
Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains. So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting here. The net result is the same base LDAP query you'd do in any other language. DLGs from multiple domains are not easy to get and there seems to be no really easy way to do it. The UGs and GGs from the user's home domain should always be there with tokenGroups though. We kind of glossed this over in our book, although our tokenGroups samples are pretty good otherwise. Ryan showed three different methods for converting the SIDs back into friendly names, which could help a lot of people. Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 26, 2006 8:32 PM Subject: RE: [ActiveDir] tokenGroups field Something could be happening under the covers for you by NET or ADSI. JoeK could probably help there. However hitting a GC in each domain should do it. The main thing it is going to get you if it wasn't clear in the response to Deji is the domain local groups in the foreign domains. Obviously the user couldn't be in GGs in other domains and UGs would be handled by hitting the default DC for the user assuming you aren't in mixed mode. You may want to use adfind to look at the results from each of the domains. With the new -resolvesids switch the tokenGroups attribute gets a nice resolved output which is nice joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] tokenGroups field
Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains. So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting here. The net result is the same base LDAP query you'd do in any other language. DLGs from multiple domains are not easy to get and there seems to be no really easy way to do it. The UGs and GGs from the user's home domain should always be there with tokenGroups though. We kind of glossed this over in our book, although our tokenGroups samples are pretty good otherwise. Ryan showed three different methods for converting the SIDs back into friendly names, which could help a lot of people. Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 26, 2006 8:32 PM Subject: RE: [ActiveDir] tokenGroups field Something could be happening under the covers for you by NET or ADSI. JoeK could probably help there. However hitting a GC in each domain should do it. The main thing it is going to get you if it wasn't clear in the response to Deji is the domain local groups in the foreign domains. Obviously the user couldn't be in GGs in other domains and UGs would be handled by hitting the default DC for the user assuming you aren't in mixed mode. You may want to use adfind to look at the results from each of the domains. With the new -resolvesids switch the tokenGroups attribute gets a nice resolved output which is nice joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] tokenGroups field
Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains. So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting here. The net result is the same base LDAP query you'd do in any other language. DLGs from multiple domains are not easy to get and there seems to be no really easy way to do it. The UGs and GGs from the user's home domain should always be there with tokenGroups though. We kind of glossed this over in our book, although our tokenGroups samples are pretty good otherwise. Ryan showed three different methods for converting the SIDs back into friendly names, which could help a lot of people. Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 26, 2006 8:32 PM Subject: RE: [ActiveDir] tokenGroups field Something could be happening under the covers for you by NET or ADSI. JoeK could probably help there. However hitting a GC in each domain should do it. The main thing it is going to get you if it wasn't clear in the response to Deji is the domain local groups in the foreign domains. Obviously the user couldn't be in GGs in other domains and UGs would be handled by hitting the default DC for the user assuming you aren't in mixed mode. You may want to use adfind to look at the results from each of the domains. With the new -resolvesids switch the tokenGroups attribute gets a nice resolved output which is nice joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] tokenGroups field
The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains. So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting here. The net result is the same base LDAP query you'd do in any other language. DLGs from multiple domains are not easy to get and there seems to be no really easy way to do it. The UGs and GGs from the user's home domain should always be there with tokenGroups though. We kind of glossed this over in our book, although our tokenGroups samples are pretty good otherwise. Ryan showed three different methods for converting the SIDs back into friendly names, which could help a lot of people. Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 26, 2006 8:32 PM Subject: RE: [ActiveDir] tokenGroups field Something could be happening under the covers for you by NET or ADSI. JoeK could probably help there. However hitting a GC in each domain should do it. The main thing it is going to get you if it wasn't clear in the response to Deji is the domain local groups in the foreign domains. Obviously the user couldn't be in GGs in other domains and UGs would be handled by hitting the default DC for the user assuming you aren't in mixed mode. You may want to use adfind to look at the results from each of the domains. With the new -resolvesids switch the tokenGroups attribute gets a nice resolved output which is nice joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http
Re: [ActiveDir] tokenGroups field
Exactly right. This actually brings up an interesting dilemma for web applications, as if you were just using Windows auth in IIS, the only DLGs you would get would be for the groups in the server's domain. If you are trying to build groups via LDAP, do you really want all of the groups from ALL of the domains, or just the current one? It is sort of a philosophical question. :) From a web application's perspective, you may also choose to include non-security groups in your list, in which case you can't use tokenGroups at all, but need to do some sort of recursive memberOf thing. The SSO vendor we work with does this (which is way slow compared to tokenGroups, but has the benefit of being more cross-platform). Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, May 30, 2006 6:40 PM Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] tokenGroups field
Dmitri I told you that you where a folk hero ;-) Joe did i read right(Erics blog)? Eric is now working for the Windows Live group. Eric congrats i hope it goes well :-D Carlos -Original Message- From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 29/05/2006 06:37 Subject: RE: [ActiveDir] tokenGroups field Excellent thanks Dmitri. The three attributes are tokenGroups tokenGroupsGlobalAndUniversal tokenGroupsNoGCAcceptable To the list denizens, Dmitri is one of those people like ~Eric and our local garage door operator that you really really want to listen to. I think this is the first time I have seen him posting here which is great. You will usually find him in the MSFT newsgroups answering the really hard AD and ADAM questions that the rest of us are guessing on. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Saturday, May 27, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field TokenGroups does talk to a GC, if the current DC is not a GC itself. Basically, that's the reason we disallow one-level and subtree searches hitting tokenGroups (so that we don't overload the DC -- it is an expensive call). You will get different results depending on which DC you are connected to, because the results include local groups. If you want consistent results, read tokenGroupsGlobalAndUniversal -- that will return the same result no matter which DC you are connected to. However, it will not include local groups. If you want to avoid the GC call, then call tokenGroupsNoGcAvailable (or something like this, sorry, forgot the exact name -- check in the schema) -- this one will give you local info without talking to the GC, but then you've got what you've got. Dmitri -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field nah-ah. would have to hit a GC to get those. Thanks for responding Deji. Good guess, 50/50 shot at it[1]. Unfortunately you are incorrect. :) I had a feeling but wasn't positive when I wrote that response so I made it clear that I wasn't sure and that I needed to test it (that was the part you snipped). Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab. I thought it worked that way as I recalled chasing the source path and actually seeing it. I wanted to understand why the three tokengroups attributes were the only ones you had to use a BASE query for. In the source I finally chased through all of the nested calls and got to the [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] tokenGroups field
Excellent thanks Dmitri. The three attributes are tokenGroups tokenGroupsGlobalAndUniversal tokenGroupsNoGCAcceptable To the list denizens, Dmitri is one of those people like ~Eric and our local garage door operator that you really really want to listen to. I think this is the first time I have seen him posting here which is great. You will usually find him in the MSFT newsgroups answering the really hard AD and ADAM questions that the rest of us are guessing on. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Saturday, May 27, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field TokenGroups does talk to a GC, if the current DC is not a GC itself. Basically, that's the reason we disallow one-level and subtree searches hitting tokenGroups (so that we don't overload the DC -- it is an expensive call). You will get different results depending on which DC you are connected to, because the results include local groups. If you want consistent results, read tokenGroupsGlobalAndUniversal -- that will return the same result no matter which DC you are connected to. However, it will not include local groups. If you want to avoid the GC call, then call tokenGroupsNoGcAvailable (or something like this, sorry, forgot the exact name -- check in the schema) -- this one will give you local info without talking to the GC, but then you've got what you've got. Dmitri -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field nah-ah. would have to hit a GC to get those. Thanks for responding Deji. Good guess, 50/50 shot at it[1]. Unfortunately you are incorrect. :) I had a feeling but wasn't positive when I wrote that response so I made it clear that I wasn't sure and that I needed to test it (that was the part you snipped). Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab. I thought it worked that way as I recalled chasing the source path and actually seeing it. I wanted to understand why the three tokengroups attributes were the only ones you had to use a BASE query for. In the source I finally chased through all of the nested calls and got to the point where it looked like it would call out to a GC for expansion if needed which answered that question pretty well (been a while since I looked at it, I should go peek again). Basically the intent is that the value of the attribute should be what would be generated for your logon token. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to. For that domain only The OP's question was about getting memberships from other domains which is fine if all other memberships are only UGs. That won't catch DLGs however. And as corrected above, you don't have to hit a GC in the default domain, any DC will do as the token expansion will be handled just like it is for auth. joe [1] Well not really I was about 72.6022% sure it would work so lets say you had about a 5% chance of being right. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 26, 2006 6:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field but I think that will get the Universals from other domains as well nah-ah. would have to hit a GC to get those. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/26/2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment
Re: [ActiveDir] tokenGroups field
I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting here. The net result is the same base LDAP query you'd do in any other language. DLGs from multiple domains are not easy to get and there seems to be no really easy way to do it. The UGs and GGs from the user's home domain should always be there with tokenGroups though. We kind of glossed this over in our book, although our tokenGroups samples are pretty good otherwise. Ryan showed three different methods for converting the SIDs back into friendly names, which could help a lot of people. Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 26, 2006 8:32 PM Subject: RE: [ActiveDir] tokenGroups field Something could be happening under the covers for you by NET or ADSI. JoeK could probably help there. However hitting a GC in each domain should do it. The main thing it is going to get you if it wasn't clear in the response to Deji is the domain local groups in the foreign domains. Obviously the user couldn't be in GGs in other domains and UGs would be handled by hitting the default DC for the user assuming you aren't in mixed mode. You may want to use adfind to look at the results from each of the domains. With the new -resolvesids switch the tokenGroups attribute gets a nice resolved output which is nice joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] tokenGroups field
TokenGroups does talk to a GC, if the current DC is not a GC itself. Basically, that's the reason we disallow one-level and subtree searches hitting tokenGroups (so that we don't overload the DC -- it is an expensive call). You will get different results depending on which DC you are connected to, because the results include local groups. If you want consistent results, read tokenGroupsGlobalAndUniversal -- that will return the same result no matter which DC you are connected to. However, it will not include local groups. If you want to avoid the GC call, then call tokenGroupsNoGcAvailable (or something like this, sorry, forgot the exact name -- check in the schema) -- this one will give you local info without talking to the GC, but then you've got what you've got. Dmitri -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field nah-ah. would have to hit a GC to get those. Thanks for responding Deji. Good guess, 50/50 shot at it[1]. Unfortunately you are incorrect. :) I had a feeling but wasn't positive when I wrote that response so I made it clear that I wasn't sure and that I needed to test it (that was the part you snipped). Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab. I thought it worked that way as I recalled chasing the source path and actually seeing it. I wanted to understand why the three tokengroups attributes were the only ones you had to use a BASE query for. In the source I finally chased through all of the nested calls and got to the point where it looked like it would call out to a GC for expansion if needed which answered that question pretty well (been a while since I looked at it, I should go peek again). Basically the intent is that the value of the attribute should be what would be generated for your logon token. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to. For that domain only The OP's question was about getting memberships from other domains which is fine if all other memberships are only UGs. That won't catch DLGs however. And as corrected above, you don't have to hit a GC in the default domain, any DC will do as the token expansion will be handled just like it is for auth. joe [1] Well not really I was about 72.6022% sure it would work so lets say you had about a 5% chance of being right. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 26, 2006 6:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field but I think that will get the Universals from other domains as well nah-ah. would have to hit a GC to get those. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/26/2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment. 2. Request tokengroups from a DC of every other domain that is also a GC. If you request the user object on the LDAP port you are just going to get referred back to a DC for the user's domain, you must request it through the GC port. If one or more of the foreign domains doesn't have a GC, you will not be able to use this method at all. You will have to do a recursive enumeration of the member attributes. Thankfully this is much faster in ADAM and K3 than it was in 2K due to the use of the implicit indexing of linked attributes. #2 is why I have continuously asked MSFT to give us more DNS records that the DCs register so I can easily ask for a GC of domain X instead of just any GC
RE: [ActiveDir] tokenGroups field
Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment. 2. Request tokengroups from a DC of every other domain that is also a GC. If you request the user object on the LDAP port you are just going to get referred back to a DC for the user's domain, you must request it through the GC port. If one or more of the foreign domains doesn't have a GC, you will not be able to use this method at all. You will have to do a recursive enumeration of the member attributes. Thankfully this is much faster in ADAM and K3 than it was in 2K due to the use of the implicit indexing of linked attributes. #2 is why I have continuously asked MSFT to give us more DNS records that the DCs register so I can easily ask for a GC of domain X instead of just any GC in the forest. GCs are not created equal, due to implementation details, they can and do give out different info (and have different capabilities) for different objects depending on how they are asked. Just as the Exchange Dev guys. eg joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, May 26, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] tokenGroups field I'm back with another development question ;-) Quick background: I've recently started using the tokenGroups field in AD in order to determine group membership of a user. I just convert the byte array to a string. I found that this is faster than doing a recursive LDAP enumeration because it's one query. I noticed that the tokenGroups field does not contain groups from other domains (except for the builtin groups). So if I need to validate that userA in DomainA belongs to a group in DomainB tokenGroups won't cut it. I tried connecting to a DC in DomainB and getting the tokenGroups for userA but ended up with the same result. So my question is does anyone know of a way I can use tokenGroups to get the membership info for every domain? Thanks! _ Joseph Isenhour List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] tokenGroups field
but I think that will get the Universals from other domains as well nah-ah. would have to hit a GC to get those. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/26/2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment. 2. Request tokengroups from a DC of every other domain that is also a GC. If you request the user object on the LDAP port you are just going to get referred back to a DC for the user's domain, you must request it through the GC port. If one or more of the foreign domains doesn't have a GC, you will not be able to use this method at all. You will have to do a recursive enumeration of the member attributes. Thankfully this is much faster in ADAM and K3 than it was in 2K due to the use of the implicit indexing of linked attributes. #2 is why I have continuously asked MSFT to give us more DNS records that the DCs register so I can easily ask for a GC of domain X instead of just any GC in the forest. GCs are not created equal, due to implementation details, they can and do give out different info (and have different capabilities) for different objects depending on how they are asked. Just as the Exchange Dev guys. eg joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, May 26, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] tokenGroups field I'm back with another development question ;-) Quick background: I've recently started using the tokenGroups field in AD in order to determine group membership of a user. I just convert the byte array to a string. I found that this is faster than doing a recursive LDAP enumeration because it's one query. I noticed that the tokenGroups field does not contain groups from other domains (except for the builtin groups). So if I need to validate that userA in DomainA belongs to a group in DomainB tokenGroups won't cut it. I tried connecting to a DC in DomainB and getting the tokenGroups for userA but ended up with the same result. So my question is does anyone know of a way I can use tokenGroups to get the membership info for every domain? Thanks! _ Joseph Isenhour List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] tokenGroups field
I actually tried option 2 using the GC port assuming that it would do the trick and it didn't seem to. Basically here's how I did it using System.DirectoryServices ( we're not all cool enough to use the msldap win32 api ;-) ) Step 1: Get a DC from every domain in the forest. Step 2: Get the user from each DC using GC://dcX.net/CN=user,DC=net Step 3: Combine token groups into one string[] (throwing away any duplicates obtained from referrals). Now it's entirely possible that this is the way to do it and my code has a bug ( shocking :-) ). I actually thought this was the way to go and was a bit surprised with the results. I'll take a closer look at my code and see what's going on. As always, much appreciated. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment. 2. Request tokengroups from a DC of every other domain that is also a GC. If you request the user object on the LDAP port you are just going to get referred back to a DC for the user's domain, you must request it through the GC port. If one or more of the foreign domains doesn't have a GC, you will not be able to use this method at all. You will have to do a recursive enumeration of the member attributes. Thankfully this is much faster in ADAM and K3 than it was in 2K due to the use of the implicit indexing of linked attributes. #2 is why I have continuously asked MSFT to give us more DNS records that the DCs register so I can easily ask for a GC of domain X instead of just any GC in the forest. GCs are not created equal, due to implementation details, they can and do give out different info (and have different capabilities) for different objects depending on how they are asked. Just as the Exchange Dev guys. eg joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, May 26, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] tokenGroups field I'm back with another development question ;-) Quick background: I've recently started using the tokenGroups field in AD in order to determine group membership of a user. I just convert the byte array to a string. I found that this is faster than doing a recursive LDAP enumeration because it's one query. I noticed that the tokenGroups field does not contain groups from other domains (except for the builtin groups). So if I need to validate that userA in DomainA belongs to a group in DomainB tokenGroups won't cut it. I tried connecting to a DC in DomainB and getting the tokenGroups for userA but ended up with the same result. So my question is does anyone know of a way I can use tokenGroups to get the membership info for every domain? Thanks! _ Joseph Isenhour List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] tokenGroups field
nah-ah. would have to hit a GC to get those. Thanks for responding Deji. Good guess, 50/50 shot at it[1]. Unfortunately you are incorrect. :) I had a feeling but wasn't positive when I wrote that response so I made it clear that I wasn't sure and that I needed to test it (that was the part you snipped). Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab. I thought it worked that way as I recalled chasing the source path and actually seeing it. I wanted to understand why the three tokengroups attributes were the only ones you had to use a BASE query for. In the source I finally chased through all of the nested calls and got to the point where it looked like it would call out to a GC for expansion if needed which answered that question pretty well (been a while since I looked at it, I should go peek again). Basically the intent is that the value of the attribute should be what would be generated for your logon token. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to. For that domain only The OP's question was about getting memberships from other domains which is fine if all other memberships are only UGs. That won't catch DLGs however. And as corrected above, you don't have to hit a GC in the default domain, any DC will do as the token expansion will be handled just like it is for auth. joe [1] Well not really I was about 72.6022% sure it would work so lets say you had about a 5% chance of being right. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 26, 2006 6:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field but I think that will get the Universals from other domains as well nah-ah. would have to hit a GC to get those. wrt #2, any GC should be able to hand out the UG info in the forest. So, by hitting a GC in a domain local to the account, we should be able to retrieve the domain local, global and universal groups the account belongs to. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/26/2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment. 2. Request tokengroups from a DC of every other domain that is also a GC. If you request the user object on the LDAP port you are just going to get referred back to a DC for the user's domain, you must request it through the GC port. If one or more of the foreign domains doesn't have a GC, you will not be able to use this method at all. You will have to do a recursive enumeration of the member attributes. Thankfully this is much faster in ADAM and K3 than it was in 2K due to the use of the implicit indexing of linked attributes. #2 is why I have continuously asked MSFT to give us more DNS records that the DCs register so I can easily ask for a GC of domain X instead of just any GC in the forest. GCs are not created equal, due to implementation details, they can and do give out different info (and have different capabilities) for different objects depending on how they are asked. Just as the Exchange Dev guys. eg joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, May 26, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] tokenGroups field I'm back with another development question ;-) Quick background: I've recently started using the tokenGroups field in AD in order to determine group membership of a user. I just convert the byte array to a string. I found that this is faster than doing a recursive LDAP enumeration because it's one query. I noticed that the tokenGroups field does not contain groups from other domains (except for the builtin groups). So if I need to validate that userA in DomainA belongs to a group in DomainB tokenGroups won't cut it. I tried
RE: [ActiveDir] tokenGroups field
Something could be happening under the covers for you by NET or ADSI. JoeK could probably help there. However hitting a GC in each domain should do it. The main thing it is going to get you if it wasn't clear in the response to Deji is the domain local groups in the foreign domains. Obviously the user couldn't be in GGs in other domains and UGs would be handled by hitting the default DC for the user assuming you aren't in mixed mode. You may want to use adfind to look at the results from each of the domains. With the new -resolvesids switch the tokenGroups attribute gets a nice resolved output which is nice joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, May 26, 2006 7:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field I actually tried option 2 using the GC port assuming that it would do the trick and it didn't seem to. Basically here's how I did it using System.DirectoryServices ( we're not all cool enough to use the msldap win32 api ;-) ) Step 1: Get a DC from every domain in the forest. Step 2: Get the user from each DC using GC://dcX.net/CN=user,DC=net Step 3: Combine token groups into one string[] (throwing away any duplicates obtained from referrals). Now it's entirely possible that this is the way to do it and my code has a bug ( shocking :-) ). I actually thought this was the way to go and was a bit surprised with the results. I'll take a closer look at my code and see what's going on. As always, much appreciated. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Not in a single call no... You would need to 1. Request tokengroups from a DC of the default domain for the user, I am not sure, but I think that will get the Universals from other domains as well, but possibly you have to hit a GC of the default domain. I would have to check it and can't at the moment. 2. Request tokengroups from a DC of every other domain that is also a GC. If you request the user object on the LDAP port you are just going to get referred back to a DC for the user's domain, you must request it through the GC port. If one or more of the foreign domains doesn't have a GC, you will not be able to use this method at all. You will have to do a recursive enumeration of the member attributes. Thankfully this is much faster in ADAM and K3 than it was in 2K due to the use of the implicit indexing of linked attributes. #2 is why I have continuously asked MSFT to give us more DNS records that the DCs register so I can easily ask for a GC of domain X instead of just any GC in the forest. GCs are not created equal, due to implementation details, they can and do give out different info (and have different capabilities) for different objects depending on how they are asked. Just as the Exchange Dev guys. eg joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, May 26, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] tokenGroups field I'm back with another development question ;-) Quick background: I've recently started using the tokenGroups field in AD in order to determine group membership of a user. I just convert the byte array to a string. I found that this is faster than doing a recursive LDAP enumeration because it's one query. I noticed that the tokenGroups field does not contain groups from other domains (except for the builtin groups). So if I need to validate that userA in DomainA belongs to a group in DomainB tokenGroups won't cut it. I tried connecting to a DC in DomainB and getting the tokenGroups for userA but ended up with the same result. So my question is does anyone know of a way I can use tokenGroups to get the membership info for every domain? Thanks! _ Joseph Isenhour List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
