3.1.1.4.5.19 tokenGroups, tokenGroupsNoGCAcceptable

The tokenGroups attribute exists on both AD DS and AD LDS. The tokenGroupsNoGCAcceptable attribute exists on AD DS but not on AD LDS.

These two computed attributes return the set of SIDs from a transitive group membership expansion operation on a given object.

For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships. The tokenGroupsNoGCAcceptable attribute can always be retrieved, but if no GC server is available, the set of SIDs might be incomplete.

Let U be the object from which the tokenGroups or tokenGroupsNoGCAcceptable attribute is being read.

• If U!objectSid does not exist, U!tokenGroups and U!tokenGroupsNoGCAcceptable are not present.

• For AD DS in mixed mode, let OperationType=RevMembGetGroupsForUser ([MS-DRSR] section 4.1.8.1.3); otherwise, for AD LDS and AD DS not in mixed mode, let OperationType=RevMembGetAccountGroups.

• Otherwise, U!tokenGroups and U!tokenGroupsNoGCAcceptable are the result of the algorithm in [MS-DRSR] section 4.1.8.3 (IDL_DRSGetMemberships) using DRS_MSG_REVMEMB_REQ_V1.OperationType=OperationType, DRS_MSG_REVMEMB_REQ_V1.ppDsNames=U, and DRS_MSG_REVMEMB_REQ_V1.pLimitingDomain = the domain for which the server is a DC.