This topic has not yet been rated - Rate this topic

3.1.1.4.5.19 tokenGroups, tokenGroupsNoGCAcceptable

The tokenGroups attribute exists on both AD DS and AD LDS. The tokenGroupsNoGCAcceptable attribute exists on AD DS but not on AD LDS.

These two computed attributes return the set of SIDs from a transitive group membership expansion operation on a given object.

For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships. The tokenGroupsNoGCAcceptable attribute can always be retrieved, but if no GC server is available, the set of SIDs may be incomplete.

Let U be the object from which the tokenGroups or tokenGroupsNoGCAcceptable attribute is being read.

If U!objectSid does not exist, U!tokenGroups and U!tokenGroupsNoGCAcceptable are not present.
Otherwise, U!tokenGroups and U!tokenGroupsNoGCAcceptable are the result of the algorithm in [MS-DRSR] section 4.1.8.3 (IDL_DRSGetMemberships) using DRS_MSG_REVMEMB_REQ_V1.OperationType=RevMembGetGroupsForUser, DRS_MSG_REVMEMB_REQ_V1.ppDsNames=U, and DRS_MSG_REVMEMB_REQ_V1.pLimitingDomain = the domain for which the server is a DC.

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)