Token-Groups attribute
Article 07/28/2022
4 contributors
Feedback
In this article
A computed attribute that contains the list of SIDs due to a transitive group membership expansion operation on a given user or computer. Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
Note
Retrieving Token Groups is an expensive operation on the domain controllers, requiring a BASE scope LDAP query to return the attribute values for a given security principal object. Care should be taken when scaling the use of this attribute in larger environments. It can impact overall domain controller performance up to the point that it prevents the domain controller from processing other requests.
Entry
Value
CN
Token-Groups
Ldap-Display-Name
tokenGroups
Size
-
Update Privilege
This value is set by the system.
Update Frequency
-
Attribute-Id
1.2.840.113556.1.4.1301
System-Id-Guid
b7c69e6d-2cc7-11d2-854e-00a0c983f608
Syntax
String(Sid)
Implementations
Windows 2000 Server
Entry
Value
Link-Id
-
MAPI-Id
-
System-Only
False
Is-Single-Valued
False
Is Indexed
False
In Global Catalog
False
NT-Security-Descriptor
O:BAG:BAD:S:
Range-Lower
-
Range-Upper
-
Search-Flags
0x00000000
System-Flags
0x08000014
Classes used in
Security-Principal
Windows Server 2003
Entry
Value
Link-Id
-
MAPI-Id
-
System-Only
False
Is-Single-Valued
False
Is Indexed
False
In Global Catalog
False
NT-Security-Descriptor
O:BAG:BAD:S:
Range-Lower
-
Range-Upper
-
Search-Flags
0x00000000
System-Flags
0x08000014
Classes used in
Security-Principal
ADAM
Entry
Value
Link-Id
-
MAPI-Id
-
System-Only
False
Is-Single-Valued
False
Is Indexed
False
In Global Catalog
False
NT-Security-Descriptor
O:BAG:BAD:S:
Range-Lower
-
Range-Upper
-
Search-Flags
0x00000000
System-Flags
0x08000014
Classes used in
Security-Principal
Windows Server 2003 R2
Entry
Value
Link-Id
-
MAPI-Id
-
System-Only
False
Is-Single-Valued
False
Is Indexed
False
In Global Catalog
False
NT-Security-Descriptor
O:BAG:BAD:S:
Range-Lower
-
Range-Upper
-
Search-Flags
0x00000000
System-Flags
0x08000014
Classes used in
Security-Principal
Windows Server 2008
Entry
Value
Link-Id
-
MAPI-Id
-
System-Only
False
Is-Single-Valued
False
Is Indexed
False
In Global Catalog
False
NT-Security-Descriptor
O:BAG:BAD:S:
Range-Lower
-
Range-Upper
-
Search-Flags
0x00000000
System-Flags
0x08000014
Classes used in
Security-Principal
Windows Server 2008 R2
Entry
Value
Link-Id
-
MAPI-Id
-
System-Only
False
Is-Single-Valued
False
Is Indexed
False
In Global Catalog
False
NT-Security-Descriptor
O:BAG:BAD:S:
Range-Lower
-
Range-Upper
-
Search-Flags
0x00000000
System-Flags
0x08000014
Classes used in
Security-Principal
Windows Server 2012
Entry
Value
Link-Id
-
MAPI-Id
-
System-Only
False
Is-Single-Valued
False
Is Indexed
False
In Global Catalog
False
NT-Security-Descriptor
O:BAG:BAD:S:
Range-Lower
-
Range-Upper
-
Search-Flags
0x00000000
System-Flags
0x08000014
Classes used in
Security-Principal