adclient.use.tokengroups

This configuration parameter specifies whether the agent should attempt to use the Active Directory tokenGroups attribute on the user object to determine a user’s group membership when the Kerberos Privilege Attribute Certificate (PAC) is not available.

In most cases, allowing the agent to use this attribute when necessary is desirable and the default setting for this attribute is true. For example:

adclient.use.tokengroups: true

In mixed-mode domains with both Windows 2000 and Windows 2003 computers, however, the tokenGroups attribute can include Universal groups in the user's group membership list. If you have Universal groups in mixed-mode domains and want to prevent those Universal groups from being included in the user's group membership list, you can set this parameter value to false. Setting this value to false will force the agent to use a slower mechanism for finding group membership instead of the tokenGroups attribute and can result in a slower user login experience, but the results will be consistent with what would be retrieved using the Kerberos PAC.