A computed attribute that contains the list of SIDs due to a transitive group membership expansion operation on a given user or computer. Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
Retrieving Token Groups is an expensive operation on the domain controllers, requiring a BASE scope LDAP query to return the attribute values for a given security principal object. Care should be taken when scaling the use of this attribute in larger environments. It can impact overall domain controller performance up to the point that it prevents the domain controller from processing other requests.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.