I'm back with another development question ;-)
Quick background: I've recently started using the tokenGroups field in
AD in order to determine group membership of a user. I just convert the
byte array to a string. I found that this is faster than doing a
recursive LDAP enumeration because it's o
on how they are asked. Just as
the Exchange Dev guys.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Friday, May 26, 2006 4:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] tokenGroups field
I'm back with
[EMAIL PROTECTED] on behalf of joe
Sent: Fri 5/26/2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
Not in a single call no... You would need to
1. Request tokengroups from a DC of the default domain for the user, I am
not sure, but I think that will get the
2:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
Not in a single call no... You would need to
1. Request tokengroups from a DC of the default domain for the user, I
am
not sure, but I think that will get the Universals from other domains as
well, but possibly you h
being right. ;o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, May 26, 2006 6:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
>>>but I think that will get the Universals from other do
a nice
resolved output which is nice
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Friday, May 26, 2006 7:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
I actually tried option 2 us
oe
Sent: Friday, May 26, 2006 5:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
> nah-ah. would have to hit a GC to get those.
Thanks for responding Deji. Good guess, 50/50 shot at it[1].
Unfortunately you are incorrect. :)
I had a feeling but wasn'
: Saturday, May 27, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
TokenGroups does talk to a GC, if the current DC is not a GC itself.
Basically, that's the reason we disallow one-level and subtree searches
hitting tokenGroups (so that we don't overl
rwise. Ryan showed three different methods for
converting the SIDs back into friendly names, which could help a lot of
people.
Joe K.
- Original Message -
From: "joe" <[EMAIL PROTECTED]>
To:
Sent: Friday, May 26, 2006 8:32 PM
Subject: RE: [ActiveDir] tokenGroups field
29/05/2006 06:37
Subject: RE: [ActiveDir] tokenGroups field
Excellent thanks Dmitri.
The three attributes are
tokenGroups
tokenGroupsGlobalAndUniversal
tokenGroupsNoGCAcceptable
To the list denizens, Dmitri is one of those people like ~Eric and our local
garage door operator that you reall
s
are pretty good otherwise. Ryan showed three different methods for
converting the SIDs back into friendly names, which could help a lot of
people.
Joe K.
- Original Message -
From: "joe" <[EMAIL PROTECTED]>
To:
Sent: Friday, May 26, 2006 8:32 PM
Subject: RE: [ActiveDir]
@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
Yep your examples are helpful, that's what I'm using :-)
It looks like hitting a GC for each domain in the forest is the way to
go in order to get the local group membership from other domains.
So just out of curiosity, when Windows b
in that is marked for the partial
attribute set.
Like I said, really low importance, I'm just curious.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 30, 2006 4:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] to
om: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, May 30, 2006 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
Thanks, that's pretty much what I figured.
So this is of low importance, but why wouldn't any GC in
memberOf thing. The SSO vendor
we work with does this (which is way slow compared to tokenGroups, but has
the benefit of being more cross-platform).
Joe K.
- Original Message -
From: "joe" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, May 30, 2006 6:40 PM
Subject: RE: [Acti
TECTED] On Behalf Of joe
Sent: Tuesday, May 30, 2006 6:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
The membership of groups is handled in a "special" way.
Although the member attribute is marked for PAS inclusion only UG
membership
is replicated ou
;nCName: DC=child1,DC=joe,DC=com
>systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)]
2 Objects returned
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Wednesday, May 31, 2006 12:18 PM
To: ActiveDir@mail.activedir.org
Sub
itrary app partitions, but domains do.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, May 31, 2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
Thanks Joe,
That's a little bit
enumeration stuff
uses the locator service (DsGetDcName, etc.).
Joe Kaplan
- Original Message -
From: "joe" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, May 31, 2006 6:06 PM
Subject: RE: [ActiveDir] tokenGroups field
Does this rate as cooler?
(&(objectCa
Much cooler ;-)
That worked great.
Thanks!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 31, 2006 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
Does this rate as cooler
EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Wednesday, May 31, 2006 5:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] tokenGroups field
I was going to say the same thing. Also, if you are using .NET 2.0, the
new
S.DS.ActiveDirectory namespace has tons of cool ways to enumerate
domains
21 matches
Mail list logo
