Partager via


3.1.1.4.5.20 tokenGroupsGlobalAndUniversal

The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.

This computed attribute returns the set of SIDs of global and universal groups resulting from a transitive group membership expansion operation on a given object. This attribute is not present if no GC server is available to evaluate the transitive reverse memberships.

Let U be the object from which the tokenGroupsGlobalAndUniversal attribute is being read.

  • If U!objectSid does not exist, U!tokenGroupsGlobalAndUniversal is not present.

  • Otherwise let S be the set of SIDs returned by invoking the algorithm in [MS-DRSR] section 4.1.8.3 (IDL_DRSGetMemberships) using DRS_MSG_REVMEMB_REQ_V1.OperationType=RevMembGetAccountGroups, DRS_MSG_REVMEMB_REQ_V1.ppDsNames=U, and DRS_MSG_REVMEMB_REQ_V1.pLimitingDomain = the domain for which the server is a DC.

  • Let accumulator set T be the Null set.

  • For each SID s in S:

    • Let X be the set of SIDs returned by invoking the algorithm in [MS-DRSR] section 4.1.8.3 (IDL_DRSGetMemberships) using DRS_MSG_REVMEMB_REQ_V1.OperationType=RevMembGetUniversalGroups, DRS_MSG_REVMEMB_REQ_V1.ppDsNames=s, and DRS_MSG_REVMEMB_REQ_V1.pLimitingDomain = NULL.

    • T = T union X.

  • U!tokenGroupsGlobalAndUniversal is the union of T and S.