A computed attribute that contains the list of SIDs due to a transitive group membership expansion operation on a given user or computer. Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
Note
Retrieving Token Groups is an expensive operation on the domain controllers, requiring a BASE scope LDAP query to return the attribute values for a given security principal object. Care should be taken when scaling the use of this attribute in larger environments. It can impact overall domain controller performance up to the point that it prevents the domain controller from processing other requests.
Entry |
Value |
CN |
Token-Groups |
Ldap-Display-Name |
tokenGroups |
Size |
- |
Update Privilege |
This value is set by the system. |
Update Frequency |
- |
Attribute-Id |
1.2.840.113556.1.4.1301 |
System-Id-Guid |
b7c69e6d-2cc7-11d2-854e-00a0c983f608 |
Syntax |
String(Sid) |
Implementations
Windows 2000 Server
Entry |
Value |
Link-Id |
- |
MAPI-Id |
- |
System-Only |
False |
Is-Single-Valued |
False |
Is Indexed |
False |
In Global Catalog |
False |
NT-Security-Descriptor |
O:BAG:BAD:S: |
Range-Lower |
- |
Range-Upper |
- |
Search-Flags |
0x00000000 |
System-Flags |
0x08000014 |
Classes used in |
Security-Principal
|
Windows Server 2003
Entry |
Value |
Link-Id |
- |
MAPI-Id |
- |
System-Only |
False |
Is-Single-Valued |
False |
Is Indexed |
False |
In Global Catalog |
False |
NT-Security-Descriptor |
O:BAG:BAD:S: |
Range-Lower |
- |
Range-Upper |
- |
Search-Flags |
0x00000000 |
System-Flags |
0x08000014 |
Classes used in |
Security-Principal
|
ADAM
Entry |
Value |
Link-Id |
- |
MAPI-Id |
- |
System-Only |
False |
Is-Single-Valued |
False |
Is Indexed |
False |
In Global Catalog |
False |
NT-Security-Descriptor |
O:BAG:BAD:S: |
Range-Lower |
- |
Range-Upper |
- |
Search-Flags |
0x00000000 |
System-Flags |
0x08000014 |
Classes used in |
Security-Principal
|
Windows Server 2003 R2
Entry |
Value |
Link-Id |
- |
MAPI-Id |
- |
System-Only |
False |
Is-Single-Valued |
False |
Is Indexed |
False |
In Global Catalog |
False |
NT-Security-Descriptor |
O:BAG:BAD:S: |
Range-Lower |
- |
Range-Upper |
- |
Search-Flags |
0x00000000 |
System-Flags |
0x08000014 |
Classes used in |
Security-Principal
|
Windows Server 2008
Entry |
Value |
Link-Id |
- |
MAPI-Id |
- |
System-Only |
False |
Is-Single-Valued |
False |
Is Indexed |
False |
In Global Catalog |
False |
NT-Security-Descriptor |
O:BAG:BAD:S: |
Range-Lower |
- |
Range-Upper |
- |
Search-Flags |
0x00000000 |
System-Flags |
0x08000014 |
Classes used in |
Security-Principal
|
Windows Server 2008 R2
Entry |
Value |
Link-Id |
- |
MAPI-Id |
- |
System-Only |
False |
Is-Single-Valued |
False |
Is Indexed |
False |
In Global Catalog |
False |
NT-Security-Descriptor |
O:BAG:BAD:S: |
Range-Lower |
- |
Range-Upper |
- |
Search-Flags |
0x00000000 |
System-Flags |
0x08000014 |
Classes used in |
Security-Principal
|
Windows Server 2012
Entry |
Value |
Link-Id |
- |
MAPI-Id |
- |
System-Only |
False |
Is-Single-Valued |
False |
Is Indexed |
False |
In Global Catalog |
False |
NT-Security-Descriptor |
O:BAG:BAD:S: |
Range-Lower |
- |
Range-Upper |
- |
Search-Flags |
0x00000000 |
System-Flags |
0x08000014 |
Classes used in |
Security-Principal
|