I'm back with another development question ;-) Quick background: I've recently started using the tokenGroups field in AD in order to determine group membership of a user. I just convert the byte array to a string. I found that this is faster than doing a recursive LDAP enumeration because it's one query.
I noticed that the tokenGroups field does not contain groups from other domains (except for the builtin groups). So if I need to validate that userA in DomainA belongs to a group in DomainB tokenGroups won't cut it. I tried connecting to a DC in DomainB and getting the tokenGroups for userA but ended up with the same result. So my question is does anyone know of a way I can use tokenGroups to get the membership info for every domain? Thanks! _________________________________ Joseph Isenhour List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
