Re: General questions about LDAP, GC and access permissions

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Jul 2007 10:27:06 -0500

Yes, that is the fully nested membership too, so you don't need to do any
LDAP queries to discover the nesting. You are basically done with task 1.

Talk 2 is harder. I'd suggest you use a product to do that like Microsoft's
MIIS. It is designed to sync various directories and can automate the task
of moving the users and groups into SQL and keeping them in sync.

If you want to do this programmatically, use DirSync. This is represented
in .NET 2.0+ with the DirectorySynchronization class which is available from
the DirectorySearcher. We cover this in more detail in our book in ch 5 and
have some code samples available on our book's website (link below).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"UncleRedz" <UncleRedz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D7FC31E1-E3EB-4693-9B15-944C453B8207@xxxxxxxxxxxxxxxx

"UncleRedz" wrote:

Don't forget that when you are using Windows auth, Windows itself will
calculate a user's group membership in the user's logon token. It is
best
to not try to get the user's group membership via LDAP if Windows is
going
to do it for you.

Well, this sound most interesting, if the information that can be gained
is
enught, then this would be the easiest solution. Do you have any pointers
to
where I should look in order to get the memberships from the token?

Well, this is embarrasing, found the groups right in the
WindowsIdentity...
in plain sight, couldn't be any easier.

Cheers,
UncleRedz

References:
- Re: General questions about LDAP, GC and access permissions
  - From: Joe Kaplan
- Re: General questions about LDAP, GC and access permissions
  - From: UncleRedz

Prev by Date: Domain Policy versus. Local Policy
Next by Date: Re: Active Directory: ldap_simple_bind_s error codes
Previous by thread: Re: General questions about LDAP, GC and access permissions
Next by thread: Re: General questions about LDAP, GC and access permissions
Index(es):
- Date
- Thread

Relevant Pages

Re: Active Directory User Membership limit
... we have several apps that run LDAP queries for group membership. ... bloating that will occur inside of the dit. ... expect to hit membership in the 600-750 range in the coming months. ...
(microsoft.public.windows.server.active_directory)
Re: Active Directory User Membership limit
... JPolicelli, MVP - Directory Services ... we have several apps that run LDAP queries for group membership. ... expect to hit membership in the 600-750 range in the coming months. ...
(microsoft.public.windows.server.active_directory)
Re: ActiveDirectoryMembershipProvider & ValidateUser
... membership provider to authenticate with AD? ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: How to add a user to a group and programatically see that in its token
... Do you need a real kernel mode token or do you just need to verify the group ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... NetGroupAddUser() ...
(microsoft.public.platformsdk.security)
Re: How do I get a users group belonging from my AD
... I retrive this info from AD to my script? ... I have several example VBScript functions to check group membership linked ... returns the Distinguished Name of the parent container, ...
(microsoft.public.scripting.wsh)