Can SIDs returned by tokenGroupsGlobalAndUniversal attribute span multiple forests


  • Is it possible for tokenGroupsGlobalAndUniversal attribute to contain SIDs from domains of trusted forests. My understanding is that this attribute only returns Global and Universal groups of user's own forest.

    I am researching a customer problem. They have two forests, and each of the forest has a single domain. Let's say Forests are F1 and F2. Domains are D1 and D2.

    F1 has D1 (root of the forest F1).  F2 has D2 (root of the forest F2). Domain SIDs are S1 and S2. When I fetch tokenGroupsGlobalAndUniversal of a user in D1, I see that SIDs returned are from both Forests F1 (D1) and F2 (D2).

    All my reading online indicates that Universal group members can only contain members of forest where the group was created. I even tried adding members from other forest to a Universal group  using ADUC, browse option does not even show trusted forests.

    Given that I can't even add members from Foreign forest to a Universal Group, not sure how tokenGroupsGlobalAndUniversal can return SIDs from two forests.

    Can you please shed light on this question and help me understand what am I missing.

    Thanks in advance,

    Anil Lingamallu

    Saturday, February 18, 2017 3:39 AM


All replies