Re: Check group membership, the sequel
From: Sameh Ahmed (essoplus_at_hotmail.com)
Date: 02/22/05
- Next message: Bern McCarty: "MEC++ - propogating FullTrust to another AppDomain with a different application base"
- Previous message: Morten Overgaard: "ADAM, AzMan question"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Check group membership, the sequel"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Check group membership, the sequel"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Check group membership, the sequel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Feb 2005 22:40:19 +0200
unfortunately this is a 2000 Domain.
and tokenGroups on rarely mentioned on the MSDN, I will keep searching till
I get something useful on how to use that attribute.
Regards
Thanks Joe
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:O7$AScJGFHA.2824@tk2msftngp13.phx.gbl...
> So, you need to look up the group membership for a user that you don't
> have a security token for? That is a little bit harder.
>
> The absolute best way to deal with that situation is to use the protocol
> transition (S4U) feature of Windows Server 2003 AD by creating a
> WindowsIdentity for the use with their userPrincipalName. You don't need
> a password for this. You get a lower privileged token, but you can still
> create a WindowsPrincipal that can be used for role checks.
>
> If you don't have a native mode 2003 AD, then this problem is harder to
> deal with. You'll probably need to do some directory services code to do
> the group membership expansion (although the AzMan APIs may be an option
> as well). The secret with LDAP calls is to use the tokenGroups attribute
> which is a calculated attribute that contains the fully expanded security
> group membership for the object.
>
> Joe K.
>
> "Sameh Ahmed" <essoplus@hotmail.com> wrote in message
> news:uokivaIGFHA.2156@TK2MSFTNGP10.phx.gbl...
>>I need to specify a different use the one used to run the code
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:u1k4QLEGFHA.1392@tk2msftngp13.phx.gbl...
>>> IsInRole supports fully nested security group membership (assuming you
>>> are on a 2000 native AD domain that supports nested groups). You don't
>>> have to do anything extra to make this work.
>>>
>>> Joe K.
>
>
- Next message: Bern McCarty: "MEC++ - propogating FullTrust to another AppDomain with a different application base"
- Previous message: Morten Overgaard: "ADAM, AzMan question"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Check group membership, the sequel"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Check group membership, the sequel"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Check group membership, the sequel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
