3.1.1.11.2.18 GetAuthSiloClaim

msdn link

 procedure GetAuthSiloClaim (
     pADPrincipal : ADDRESS OF DSNAME) : CLAIM_ENTRY

This is a helper procedure that computes the value of the ad://ext/AuthenticationSilo constructed claim type for the specified principal.

pADPrincipal: The Active Directory principal to return an AuthenticationSilo claim for, if applicable.

Return Values: This procedure returns a CLAIM_ENTRY (section 2.2.18.5) if the specified principal is a member of an authentication silo; otherwise NULL.

Logical Processing:

 claim : CLAIM_ENTRY;
 parentNC : DSName
 siloMember : DSName
 memberOfSilo : Boolean;
 assignedSilo : DSName
  
 /*
   AuthSiloClaim is not issued until the domain 
   functional level is at DS_BEHAVIOR_WIN2012R2
   or higher.
 */
 parentNC := GetObjectNC(pADPrincipal)
 if (parentNC!msDS-BehaviorVersion < DS_BEHAVIOR_WIN2012R2)
   return NULL
 endif
  
 /*
   Check if user is assigned to an enforced silo.
 */
 assignedSilo := pADPrincipal!msDS-AssignedAuthNPolicySilo
 if (assignedSilo = NULL ||
     assignedSilo!msDS-AuthNPolicySiloEnforced = FALSE)
   return NULL
 endif
  
 /*
   Check if silo is configured with the user as a member.
 */
 memberOfSilo := FALSE
 foreach (siloMember in assignedSilo!msDS-AuthNPolicySiloMembers)
   if (siloMember = pADPrincipal)
       memberOfSilo := TRUE
       break
   endif
 endfor
  
 if (memberOfSilo = FALSE)
     return NULL
 endif
  
 /*
    Fill in the claim details and return the claim.
 */
 claim.Id := "ad://ext/AuthenticationSilo";
 claim.Type := CLAIM_TYPE_STRING
 claim.ValueCount := 1
 claim.Values := assignedSilo.name
  
 return claim;