Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Peter Crowther wrote: > In an AD environment, it *may* also be worth checking whether the groups > are local, global or universal. Tony, you'll know better than me - does > the enumeration have to go to a global catalog server in all cases / for > universal groups, or do all DCs have enough information in all cases? I > know a GC has to be contacted when a user logs in to obtain group > information for that user, just in case they're in any universal groups, > and would assume the same to be the case for a server resolving groups > in an SSPI connection to that server. I think all the DCs have all the information cached (even if only because of the login). The group enumeration normally works via the current thread token, provided that impersonation is enabled - this is the fastest way as it just uses the local cached information. If you're not impersonating it enumarates the local and global groups which may take longer, but normally not very much more than the round trip time to the DC. The method in use is traced out just before the list of groups. Tony