I've been checked out of the group here for a few weeks and just poked back
in. I think Dmitri summed things up quite well. I'll just add that ADSI
and S.DS don't do anything interesting here. The net result is the same
base LDAP query you'd do in any other language.
DLGs from multiple domains are not easy to get and there seems to be no
really easy way to do it. The UGs and GGs from the user's home domain
should always be there with tokenGroups though.
We kind of glossed this over in our book, although our tokenGroups samples
are pretty good otherwise. Ryan showed three different methods for
converting the SIDs back into friendly names, which could help a lot of
people.
Joe K.
----- Original Message -----
From: "joe" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Friday, May 26, 2006 8:32 PM
Subject: RE: [ActiveDir] tokenGroups field
Something could be happening under the covers for you by NET or ADSI. JoeK
could probably help there. However hitting a GC in each domain should do
it.
The main thing it is going to get you if it wasn't clear in the response
to
Deji is the domain local groups in the foreign domains. Obviously the user
couldn't be in GGs in other domains and UGs would be handled by hitting
the
default DC for the user assuming you aren't in mixed mode.
You may want to use adfind to look at the results from each of the
domains.
With the new -resolvesids switch the tokenGroups attribute gets a nice
resolved output which is nice....
joe
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
