[cifs-protocol] primaryGroupToken

Andrew Bartlett abartlet at samba.org
Thu Dec 3 15:00:11 MST 2009

MS-ADA3 2.120 claims:

Attribute primaryGroupToken
  This attribute specifies a computed attribute that is used in retrieving the membership list of a group
  such as Domain Users. The complete membership of such groups is not stored explicitly for scaling
  reasons. For more information refer to [MS-ADTS] section and [MS-SAMR].

MS-ADTS claims:

  Let TO be the object from which the primaryGroupToken attribute is being read.
  The value of TO!primaryGroupToken is the RID from TO!objectSid when there exists C in
  TO!objectClass such that C is the group class. Otherwise, no value is returned. That is, if TO is a
  group, then the value of this attribute is the RID from the group's SID. If TO is not a group, no
  value is returned when this attribute is read from TO.

The behaviour of Window 2008 appears to follow MS-ADTS.  That is, the
primaryGroupToken appears to be the RID of the objectSID for all

Please advise, clarify or correct,


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20091204/0ac0a7c1/attachment.pgp>

More information about the cifs-protocol mailing list