tokenGroups is one of the more interesting and very overlooked attributes in Active Directory that provides an easy method of querying the security group membership of a user or computer including nested membership.
One of the most common problems people encounter when scripting solutions for Active Directory is dealing with group membership in particular nested group membership when designs implement the Microsoft recommendations to collect users together into global groups and nest those into domain local groups for applying permissions etc.
Over the last few years I have seen a lot of audit and logon scripts that fail in very interesting ways because the authors were unaware of either some of the interesting `quirks´ of Active Directory and did no testing or someone changes the implementation again without testing causing no end of problems further down the road.
Examples some of you are no doubt shouting, others are have no doubt been on the sharp end of this and just want to see the details of a possible solution so please skip ahead, these are some of the common problems but for brevity I will be skipping some of the more esoteric ones.
Each user and computer has an attribute called memberOf which lists all the groups the user or computer is a member of, sort of. It's the `sort of´ that gets most people because memberOf does not include Primary Group membership, membership in Domain Local groups in other domains
primaryGroupID is defined in the Active Directory schema