Re: Determine AD group membership
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 18 Jun 2006 15:00:25 -0500
AD supports a variety of different types of groups, including security and
distribution and 3 different scopes (global, universal and domain local).
If you are only interested in the security groups that a user would have in
their local logon token, then use the logon token and GetTokenInformation.
What Joe was trying to suggest though is that the user may be in many more
groups than that, as they could be in domain local groups from other domains
and could be in all manner of distribution groups. In order to discover
that stuff, you'd really need to use LDAP as the native Windows APIs
essentially ignore them.
So, it depends on what your app requires. It sounds like you are totally
willing to just use the groups in the user's token, so you definitely want
to avoid LDAP in that case. In many apps that Joe R. encounters, the apps
purposefully use non-security groups for the application's security model so
as to avoid increasing the number of groups in a user's logon token (which
can affect logon performance and cause serious problems if the number gets
up in the 1000 range).
The important thing for you is to understand what it is that you really
require so you can address that accordingly.
Joe R. may (and probably will) clarify my clarification. My response is
based on conversations he and I have had about this very subject offline.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"TimAlsop" <TimAlsop@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3420F185-8EBC-4B33-8704-FA81C6D8F99B@xxxxxxxxxxxxxxxx
Joe,
What do you mean by "only give you security group info" ? All we need is a
list of groups an AD account (the one who has already logged onto the
workstation) is a member of. e.g. if account is a member of group called
"Domain Administrators" we want this to be returned along with other
groups
the account has been assigned membership.
I don't understand your reference to LDAP. Are you recommending that we
use
an LDAP lookup to get group membership for the account which is currently
logged on, instead of using the proposed method to get group membership
from
local operating system ? We considered this, but it means we have to
communicate with AD, and this should be avoided in our case, unless it is
absolutely necessary - it just seemed to be sensible to get group
membership
from windows, since the PAC data in the Kerberos tickets already contains
this info.
We accept that the user who has logged onto the workstation has
authenticated during their logon, and we are thinking of using AD group
membership to define access control to specific functionality within our
application. e.g. we can get the AD administrator to create a group using
AD
users+computers MMC tool, then assign this group to users. In our client
software we want to check if the logged on user is a member of a specific
group before we decide if they are allowed to perform a particular
function.
Thanks,
Tim
.
- Follow-Ups:
- Re: Determine AD group membership
- From: Joe Richards [MVP]
- Re: Determine AD group membership
- References:
- Re: Determine AD group membership
- From: Skywing
- Re: Determine AD group membership
- From: Joe Richards [MVP]
- Re: Determine AD group membership
- Prev by Date: Re: Application requirement for persistent key pairs
- Next by Date: Re: CryptDecrypt fails with NTE_BAD_DATA
- Previous by thread: Re: Determine AD group membership
- Next by thread: Re: Determine AD group membership
- Index(es):
Relevant Pages
|
