Ball, Donald A Jr (Library) wrote:
> Apologies if this is too off-topic, but I can't think of where else to
> start looking. I need to test for group membership on windows in a ruby
> program. I've got some authentication code working just fine:

In my experience, the logon call and the underlying LDAP request
to return the tokenGroups attribute is hugely expensive. If causes
the DC to do calls to other DCs including the GC server. We do
this where absolutely necessary, but it definitely isn't wise
to do it whenever you have an authorization request to evaluate.

You should instead attempt to enumerate the group member SIDs of
the current process token, or use one of the APIs that does this.

I'm a bit limited unfortunately in how much more help I can give,
as I've been out of this space for a year or two now.

Clifford Heath.