Yeah, I guess now that ~Eric wrote it there, it is ok to say. ~Eric is no longer doing AD Stuff for the EEC. I was quite sad to hear about it when he told me. He says he has some exciting opportunities though.
Dmitri is great. I am very thankful for the time Dmitri puts into the newsgroups, I learn a great deal from his posts. While most people on the list here probably don't know who Dmitri is[1], many of us who do a lot of posting here and try to help everyone do know who he is and are thankful for any and all contributions he makes. joe [1] Unless you read the acknowledgements in my book. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, May 29, 2006 4:13 AM To: [email protected] Subject: RE: [ActiveDir] tokenGroups field Dmitri I told you that you where a folk hero ;-) Joe did i read right(Erics blog)? Eric is now working for the Windows Live group. Eric congrats i hope it goes well :-D Carlos -----Original Message----- From: "joe" <[EMAIL PROTECTED]> To: [email protected] Sent: 29/05/2006 06:37 Subject: RE: [ActiveDir] tokenGroups field Excellent thanks Dmitri. The three attributes are tokenGroups tokenGroupsGlobalAndUniversal tokenGroupsNoGCAcceptable To the list denizens, Dmitri is one of those people like ~Eric and our local garage door operator that you really really want to listen to. I think this is the first time I have seen him posting here which is great. You will usually find him in the MSFT newsgroups answering the really hard AD and ADAM questions that the rest of us are guessing on. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Saturday, May 27, 2006 1:24 PM To: [email protected] Subject: RE: [ActiveDir] tokenGroups field TokenGroups does talk to a GC, if the current DC is not a GC itself. Basically, that's the reason we disallow one-level and subtree searches hitting tokenGroups (so that we don't overload the DC -- it is an expensive call). You will get different results depending on which DC you are connected to, because the results include local groups. If you want consistent results, read tokenGroupsGlobalAndUniversal -- that will return the same result no matter which DC you are connected to. However, it will not include local groups. If you want to avoid the GC call, then call tokenGroupsNoGcAvailable (or something like this, sorry, forgot the exact name -- check in the schema) -- this one will give you local info without talking to the GC, but then you've got what you've got. Dmitri -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 5:25 PM To: [email protected] Subject: RE: [ActiveDir] tokenGroups field > nah-ah. would have to hit a GC to get those. Thanks for responding Deji. Good guess, 50/50 shot at it[1]. Unfortunately you are incorrect. :) I had a feeling but wasn't positive when I wrote that response so I made it clear that I wasn't sure and that I needed to test it (that was the part you snipped). Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab. I thought it worked that way as I recalled chasing the source path and actually seeing it. I wanted to understand why the three tokengroups attributes were the only ones you had to use a BASE query for. In the source I finally chased through all of the nested calls and got to the [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
