Understanding Active Directory and Windows NT Group Information Support

This topic describes support for polling group information from Active Directory and Windows NT servers.

Active Directory Group Information Overview

The access management framework supports user group lookup in Domain Local, Domain Global, and Universal groups in the default domain, child domains, and all trusted domains. The system obtains group membership using one of three methods that have different capabilities:

• Group information in User’s Security Context—Returns information about the user’s Domain Global groups.
• Group information obtained using LDAP search calls—Returns information about the user’s Domain Global groups and about the user’s Universal groups if the access management framework queries the Global Catalog Server.
• Group information using native RPC calls—Returns information about the user’s Domain Local Group.
• With respect to role-mapping rules, the system attempts group lookup in the following order:
• Checks for all Domain Global groups using the user’s security context.
• Performs an LDAP query to determine the user’s group membership.
• Performs an RPC lookup to determine the user’s Domain Local group membership.

Windows NT4 Group Information Overview

The access management framework supports group lookup in the Domain Local and Domain Global groups created in the default domain, as well as all child and other trusted domains. The system obtains group membership using:

• Domain Global group information from the user’s security context.
• Domain Local information using RPC calls.

In the Windows NT4 environment, the system does not use LDAP-based search calls.