[cifs-protocol] primaryGroupToken
Sebastian Canevari
Sebastian.Canevari at microsoft.com
Thu Dec 3 15:19:03 MST 2009
Hi Andrew,
Thanks for your inquiry.
Someone from my team will be contacting you shortly to help you with this.
Thanks and regards,
Sebastian
Sebastian Canevari
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, December 03, 2009 4:00 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org; pfif at tridgell.net; Matthieu Patou
Subject: primaryGroupToken
MS-ADA3 2.120 claims:
Attribute primaryGroupToken
This attribute specifies a computed attribute that is used in retrieving the membership list of a group
such as Domain Users. The complete membership of such groups is not stored explicitly for scaling
reasons. For more information refer to [MS-ADTS] section 3.1.1.4.5.11 and [MS-SAMR].
However,
MS-ADTS 3.1.1.4.5.11 claims:
primaryGroupToken
Let TO be the object from which the primaryGroupToken attribute is being read.
The value of TO!primaryGroupToken is the RID from TO!objectSid when there exists C in
TO!objectClass such that C is the group class. Otherwise, no value is returned. That is, if TO is a
group, then the value of this attribute is the RID from the group's SID. If TO is not a group, no
value is returned when this attribute is read from TO.
The behaviour of Window 2008 appears to follow MS-ADTS. That is, the primaryGroupToken appears to be the RID of the objectSID for all groups.
Please advise, clarify or correct,
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the cifs-protocol
mailing list