3.1.1.4.5.20 tokenGroupsGlobalAndUniversal

The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.

This computed attribute returns the set of SIDs of global and universal groups resulting from a transitive group membership expansion operation on a given object. This attribute is not present if no GC server is available to evaluate the transitive reverse memberships.

Let U be the object from which the tokenGroupsGlobalAndUniversal attribute is being read.

• If U!objectSid does not exist, U!tokenGroupsGlobalAndUniversal is not present.

• Otherwise let S be the set of SIDs returned by invoking the algorithm in [MS-DRSR] section 4.1.8.3 (IDL_DRSGetMemberships) using DRS_MSG_REVMEMB_REQ_V1.OperationType=RevMembGetAccountGroups, DRS_MSG_REVMEMB_REQ_V1.ppDsNames=U, and DRS_MSG_REVMEMB_REQ_V1.pLimitingDomain = the domain for which the server is a DC.

• Let accumulator set T be the Null set.

• For each SID s in S:

  • Let X be the set of SIDs returned by invoking the algorithm in [MS-DRSR] section 4.1.8.3 (IDL_DRSGetMemberships) using DRS_MSG_REVMEMB_REQ_V1.OperationType=RevMembGetUniversalGroups, DRS_MSG_REVMEMB_REQ_V1.ppDsNames=s, and DRS_MSG_REVMEMB_REQ_V1.pLimitingDomain = NULL.

  • T = T union X.

• U!tokenGroupsGlobalAndUniversal is the union of T and S.