Re: Roles in context
From: John M Deal (johndeal_at_necessitysoftware.com)
Date: 11/19/04
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Retrieve the Primary Group Name for a User in Active Directory"
- In reply to: richlm: "Re: Roles in context"
- Next in thread: danielroot: "Re: Roles in context"
- Reply: danielroot: "Re: Roles in context"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Nov 2004 19:31:04 -0800
If on the last point you (the original poster) was asking "would having
a client machine with the same name as a domain give you access to the
domain resources if you were in the machine's administrator group" the
answer would be no. The reason for this is that it is not the name of
the machine, or even the domain for that matter, that gives you access
to resources it is instead the security identifier (SID) of the logged
on user which is unique. Also the type of identifier on the machine is
different than the type on the domain. This is a bit too big a topic to
get into here but if you are interested in finding out a little about
how this really works, here's a link to the online version of Keith
Brown's security book:
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook.HomePage
This book is a must read, but you can find out most of what you need to
know about how security works (from a developer's perspective) in the
first thirty pages or so. Hope this will help you understand more about
how this all ties together.
Have A Better One!
John M Deal, MCP
Necessity Software
richlm wrote:
> I would normally expect to see groups in AD for each departmental role e.g.
> "SalesAdministrator", "SalesRep", "AccountsAdministrator",
> "InventoryAdministrator", etc.
> You can group these together into a heirarchy in AD, e.g. so that the "VP"
> role includes all the others.
> The roles/groups in AD should reflect your business organization.
>
> In many scenarios the standard WindowsPrincipal.IsInRole will be sufficient.
> If not you could use Authorization Manager (AzMan) to manage
> application-specific roles.
> AzMan is a component of Windows Server 2003 which can also be installed on
> XP. Here's a good intro if you're not familiar:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/html/AzManRoles.asp
>
> Also look at the "Authorization and Profile Application Block" from
> Microsoft Patterns and Practices
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/authpro.asp
> This builds on AzMan and it may provide the basis/inspiration for a
> solution.
>
>
> As for you last question - gaining access to what? The user would
> presumably need domain admin privileges to add their "new" machine to the
> domain and gain access to any remote resources.
>
>
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Retrieve the Primary Group Name for a User in Active Directory"
- In reply to: richlm: "Re: Roles in context"
- Next in thread: danielroot: "Re: Roles in context"
- Reply: danielroot: "Re: Roles in context"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
