220.127.116.11.5.19 tokenGroups, tokenGroupsNoGCAcceptable
For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships. The tokenGroupsNoGCAcceptable attribute can always be retrieved, but if no GC server is available, the set of SIDs may be incomplete.
Let U be the object from which the tokenGroups or tokenGroupsNoGCAcceptable attribute is being read.
If U!objectSid does not exist, U!tokenGroups and U!tokenGroupsNoGCAcceptable are not present.
Otherwise, U!tokenGroups and U!tokenGroupsNoGCAcceptable are the result of the algorithm in [MS-DRSR] section 18.104.22.168 (IDL_DRSGetMemberships) using DRS_MSG_REVMEMB_REQ_V1.OperationType=OperationType, DRS_MSG_REVMEMB_REQ_V1.ppDsNames=U, and DRS_MSG_REVMEMB_REQ_V1.pLimitingDomain = the domain for which the server is a DC.