Hi all,
Have a multi-domain forest: acme.com and child.acme.com. For users in this forest, would like to get direct and transitive(nested) group membership using LDAP interface. After looking at available options zeroed on using msds-memberoftransitive attribute as that has distinguished names of all groups having user as member.
Question 1:
User say user1 from acme.com can be member of Universal, Global and Domain Local groups of acme.com and Universal and Domain Local groups of child.acme.com. As expected, universal groups in one domain can have membership in Domain local groups of other domain.
With this kind of membership, does msds-memberoftransitve store distinguished names of all Universal, Global, and Domain Local groups having user as member(both direct and thru nested groups)?
Question 2:
What is the right way to read msds-memberoftransitive? Should LDAP bind be to Domain Controller of user domain Or Global Catalog?
In my lab set-up, by connecting to Domain Controller of either domain, not getting the complete list of groups. So, is Global Catalog the only source to read msds-memberoftransitive?
From https://msdn.microsoft.com/en-us/library/dn410792.aspx?ppud=4, SystemFlags for attribute indicate it's not replicated(systemFlags: FLAG_ATTR_NOT_REPLICATED | FLAG_ATTR_IS_CONSTRUCTED | FLAG_ATTR_IS_OPERATIONAL | FLAG_SCHEMA_BASE_OBJECT). Guess, by this, it means the attribute msds-memberoftransitive is not available with Global Catalog. Please correct if I am wrong
Thanks,
Lokesh