Re: Determine AD group membership
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Mon, 19 Jun 2006 13:55:03 -0400
Yep that is exactly what I was talking about but in addition to the security/distribution groups in the 3 scopes, there are also AzMan groups (group types 16 (APP_BASIC) and 32 (APP_QUERY)) to keep in mind as well.
As JoeK mentioned, the issue with token bloat and PAC overflow are getting to be larger and larger issues in enterprise class companies as folks do more and more group nesting and consolidate more and more resources into smaller and smaller realms (domains).
I have seen a variety of web portal and collaboration apps that completely use non-Windows security enabled groups which are used to secure all manner of resources. A user could be hundreds or even thousands of those groups with no impact on normal Windows operations.
If you know that you only care about Windows Security groups with scope local to the workstation involved, then using the local user token is completely fine.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Joe Kaplan (MVP - ADSI) wrote:
AD supports a variety of different types of groups, including security and distribution and 3 different scopes (global, universal and domain local)..
If you are only interested in the security groups that a user would have in their local logon token, then use the logon token and GetTokenInformation. What Joe was trying to suggest though is that the user may be in many more groups than that, as they could be in domain local groups from other domains and could be in all manner of distribution groups. In order to discover that stuff, you'd really need to use LDAP as the native Windows APIs essentially ignore them.
So, it depends on what your app requires. It sounds like you are totally willing to just use the groups in the user's token, so you definitely want to avoid LDAP in that case. In many apps that Joe R. encounters, the apps purposefully use non-security groups for the application's security model so as to avoid increasing the number of groups in a user's logon token (which can affect logon performance and cause serious problems if the number gets up in the 1000 range).
The important thing for you is to understand what it is that you really require so you can address that accordingly.
Joe R. may (and probably will) clarify my clarification. My response is based on conversations he and I have had about this very subject offline.
Joe K.
- References:
- Re: Determine AD group membership
- From: Skywing
- Re: Determine AD group membership
- From: Joe Richards [MVP]
- Re: Determine AD group membership
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Determine AD group membership
- Prev by Date: Re: CryptDecrypt fails with NTE_BAD_DATA
- Next by Date: Re: Determine AD group membership
- Previous by thread: Re: Determine AD group membership
- Next by thread: Re: Determine AD group membership
- Index(es):
Relevant Pages
|
