3.3.4.3 GetADPrincipalAuthorizationGroup

  • Article

A server processes a GetADPrincipalAuthorizationGroup request using the Active Directory Web Services: Custom Action Protocol upon receiving a SOAP message that contains the GetADPrincipalAuthorizationGroupRequest_Headers header and that specifies the following URI as the SOAP action:

http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions/AccountManagement/GetADPrincipalAuthorizationGroup

This operation is specified by the following WSDL.

 <wsdl:operation name="GetADPrincipalAuthorizationGroup">
     <wsdl:input
         wsam:Action=
 "http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions/AccountManagement/GetADPrincipalAuthorizationGroup"
         name="GetADPrincipalAuthorizationGroupRequest"
         message="ca:GetADPrincipalAuthorizationGroupRequest" />
   <wsdl:output
       wsam:Action=
 "http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions/AccountManagement/GetADPrincipalAuthorizationGroupResponse"
       name="GetADPrincipalAuthorizationGroupResponse"
       message="ca:GetADPrincipalAuthorizationGroupResponse" />
   <wsdl:fault
       wsam:Action="http://schemas.microsoft.com/2008/1/ActiveDirectory/Data/fault"
       name="GetADPrincipalAuthorizationGroupFault"
       message=
 "ca:AccountManagement_GetADPrincipalAuthorizationGroup_GetADPrincipalAuthorizationGroupFault_FaultMessage" />
 </wsdl:operation>

The GetADPrincipalAuthorizationGroup custom action retrieves information for all security-enabled groups that contain, as a member, the authenticable principal specified in GetADPrincipalAuthorizationGroupRequest/PrincipalDN (section 3.3.4.3.2.4) in the NC specified in GetADPrincipalAuthorizationGroupRequest/PartitionDN (section 3.3.4.3.2.3).

For each security-enabled group in which the specified authenticable principal is a member, the GetADPrincipalAuthorizationGroup operation constructs an ActiveDirectoryGroup object (section 2.2.3.3) with all the elements populated and adds it to the GetADPrincipalAuthorizationGroupResponse/MemberOf (section 3.3.4.3.2.6) element. Upon success, the GetADPrincipalAuthorizationGroupResponse element is returned. If an authenticable principal is not a member of any security-enabled groups, then the server returns a GetADPrincipalAuthorizationGroupResponse with an empty MemberOf element.

Groups are returned without respect to the context supplied in GetADPrincipalAuthorizationGroupRequest/PartitionDN (section 3.3.4.3.2.3).

Note Returned groups include the primary group of the authenticable principal specified in GetADPrincipalAuthorizationGroupRequest/PrincipalDN.

If an error occurs while processing this operation, the server MUST return the appropriate SOAP fault for the particular error condition as specified in section 3.3.4.3.8.