Andrew, Your observation regarding the primaryGroupToken attribute is right. We have reviewed and updated the definition in MS-ADA3. The update will appear in a future release of the document.
Current MS-ADA3 2.120 Attribute primaryGroupToken This attribute specifies a computed attribute that is used in retrieving the membership list of a group such as Domain Users. The complete membership of such groups is not stored explicitly for scaling reasons. For more information refer to [MS-ADTS] section 3.1.1.4.5.11 and [MS-SAMR]. MS-ADA3 update similar to: 2.120 Attribute primaryGroupToken This attribute specifies a computed attribute that is the relative identifier (RID) of the group's SID. For more information refer to [MS-ADTS] section 3.1.1.4.5.11 and [MS-SAMR]. Thanks for helping us improve the MS-ADA3 documentation. Best regards, Edgar -----Original Message----- From: Edgar Olougouna Sent: Friday, December 04, 2009 9:09 AM To: 'Andrew Bartlett' Cc: '[email protected]'; '[email protected]'; 'Matthieu Patou' Subject: RE: primaryGroupToken Andrew, I am looking into this and will keep you updated with my progress. Best regards, Edgar A. Olougouna Sr. SEE, Microsoft DSC Protocol Team -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Thursday, December 03, 2009 4:00 PM To: Interoperability Documentation Help Cc: [email protected]; [email protected]; Matthieu Patou Subject: primaryGroupToken MS-ADA3 2.120 claims: Attribute primaryGroupToken This attribute specifies a computed attribute that is used in retrieving the membership list of a group such as Domain Users. The complete membership of such groups is not stored explicitly for scaling reasons. For more information refer to [MS-ADTS] section 3.1.1.4.5.11 and [MS-SAMR]. However, MS-ADTS 3.1.1.4.5.11 claims: primaryGroupToken Let TO be the object from which the primaryGroupToken attribute is being read. The value of TO!primaryGroupToken is the RID from TO!objectSid when there exists C in TO!objectClass such that C is the group class. Otherwise, no value is returned. That is, if TO is a group, then the value of this attribute is the RID from the group's SID. If TO is not a group, no value is returned when this attribute is read from TO. The behaviour of Window 2008 appears to follow MS-ADTS. That is, the primaryGroupToken appears to be the RID of the objectSID for all groups. Please advise, clarify or correct, Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
