Re: User account access after account disable?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

No no, you misunderstand me.

LDAP calls are not the only way to check group membership and are in fact
not even the best way. The ideal way is to have a logon token for the user
and verify group membership via the SIDs in the token's "token groups"
structure. This is how Windows does it and no LDAP is involved at all.

I was just saying that IF you have an app that is checking group membership
via LDAP (which lots of developers do, even though it is non-ideal), the
user object in AD will still be a member of the groups it was a member of,
even if it is disabled. You just can't log in with the account if it is
disabled.

Also, group membership is determined by the contents of the "member"
attribute on the group object, not the memberOf attribute. MemberOf is
simply a back link and is calculated by the directory based on the contents
of all of the member attributes. There is no "uniquemember" attribute to my
knowledge.

The one exception to this is primary group membership which is instead
determined by the primaryGroupID attribute on an object. It will contain
the RID of the group that the object has as it's primary group.

I just re-read your original post and noticed that I missed the part about
NDS. Sorry, but I'm not sure I understand how that is being used in your
organization. For applications, is the user logging in with their AD
account or the NDS account? Can you explain this better.

Joe K.

"jgershater" <jgershater@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A845A450-FCA4-4193-8C9B-E9E98984EC55@xxxxxxxxxxxxxxxx
> thanks Joe
> So does that mean the ONLY way to validate group membership is via ldap
> calls?
>
> Secondly, I thought an AD user was designated member of a group, by an
> attribute on his/her object that says "memberOf" (whereas in standard ldap
> you have a group object with attributes "uniquemember"). If this is the
> case
> then does AD do an ldap call on the user to find out what group he belongs
> to, rather than querying the group to get its members?
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> On the second question regarding applications testing the AD for group
>> membership, the object will still be a member of groups in the AD, so if
>> they are doing LDAP calls to figure out group membership, this won't help
>> you. However, the user should not be able to login anywhere (including
>> LDAP
>> binds or accessing web applications) as their password won't verify when
>> they are disabled, so hopefully now one doing LDAP group checks would
>> have
>> authenticated the user in the first place as that should not be possible.
>>
>> Joe K.
>>
>> "jgershater" <jgershater@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:B72860E8-A82D-4ABF-9CA7-BC93CFC29999@xxxxxxxxxxxxxxxx
>> > Hi
>> > I have a Windows2003 ActiveDirectory (AD).
>> > AD is *NOT* used as the workstation desktop login (instead Novell NDS
>> > is
>> > used).
>> > AD is used for group membership. Groups are used by applications to
>> > determine application access.
>> >
>> > Question one:
>> > If I disable a user in AD, does that *ONLY* disable login from a
>> > workstation
>> > (which is not used in my case) or does disabling also prevent other
>> > privileges.?
>> > If my account is disabled do I still have domain privileges. Can I
>> > access
>> > a
>> > shared folder? Can I print to a printer?
>> >
>> > Question two:
>> > If I DISABLE a user in AD, and the application tests the AD group for
>> > user
>> > account membership, will that test return true? Or will that test
>> > return
>> > false because even though the user is a member of the group, their
>> > account
>> > is
>> > disabled?
>>
>>
>>


.

Relevant Pages

  • User account access after account disable?
    ... AD is *NOT* used as the workstation desktop login (instead Novell NDS is ... AD is used for group membership. ... or does disabling also prevent other ... If my account is disabled do I still have domain privileges. ...
    (microsoft.public.windows.server.active_directory)
  • Re: User account access after account disable?
    ... On the second question regarding applications testing the AD for group ... they are doing LDAP calls to figure out group membership, ... > or does disabling also prevent other ... > If my account is disabled do I still have domain privileges. ...
    (microsoft.public.windows.server.active_directory)
  • Re: User account access after account disable?
    ... thanks Joe ... So does that mean the ONLY way to validate group membership is via ldap calls? ... >> or does disabling also prevent other ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDAP returns wrong members
    ... users who are  members of the group via primary group membership. ... to get the user's full security membership via LDAP by reading the ... Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net ...
    (microsoft.public.windows.server.active_directory)
  • Re: Querying AD Groups
    ... LDAP or WinNT provider. ... When I query Global Groups for their memberships I ... The WinNT provider never exposes nested groups, ... In both cases LDAP does not expose membership ...
    (microsoft.public.win2000.active_directory)