Re: Creating SID Manaully

On Sep 1, 9:44 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I'm still confused here. When you say it takes "AD" up to a minute to
create a user, what are you referring to? Are you talking about an AD GUI
tool? Those typically use LDAP under the hood to actually create the user
much like some code that you might write would do.

As we said before, you can't specify the GUID or SID. Those are generated
by the system when the object is created in the directory (through whatever
mechanism was used to generate the object).

Before you can add an object to a group in the directory, the object must
exist in the directory. This has to do with the way group membership works
in LDAP.

I still don't understand why it would be useful for you to set the GUID or
SID manually though. Typically, when you create an object in AD
programmatically via LDAP, you specify the information needed to create the
object and the directory populates the system attributes like the GUID and
SID. Then, if you need to use those, you just read them via an LDAP query
from the newly created object. So, once you have the GUID and SID that will
be used for the object in the directory, you can use it for whatever you
need it for (which I still don't know).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"Glen" <DamnBig...@xxxxxxxxx> wrote in message

news:1188596255.911788.194360@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Aug 31, 3:25 pm, "Joe Kaplan"



<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
This statement makes no sense to me:

Everything is working, however when the students request an account
they specify what classes they are taking and are added to
corresponding groups in order to have access to resources on the
server that are specific to that class.

I was hoping I could generate my own SID and GUID so that I wouldn't
have to wait for AD as it is remarkably slow (everything else is done
though LDAP). I guess I'll just have to have it sleep for a while or
move the group membership functionality out into a server side script
that runs every 15 minutes. I'm really just trying to optimize stuff.

------

Can you elaborate? Are you creating a user in AD and then using that
account to ACL local resources like files or folders? Why would
generating
a SID and GUID be helpful?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--"Glen" <DamnBig...@xxxxxxxxx> wrote in message

news:1188594104.877451.318630@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Aug 31, 1:24 pm, net_admin <netad...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:

As the other friends said, SID is managed by AD internally and it's the
RID
master that manages the distribution for the DCs.

Also, I'm interested in having an automatic process like the one you are
creating. If you could share, I would apprecitate.

--
NetAdmin <São Paulo, BR>
"Das ist nicht mein bier... arschloch."

Background:

What I'm trying to do is have a self contained user request/creation
system. I work for a larger community college and the Applied
Technologies school is on a separate domain from the main campus.
Certain laws have arisen requiring accurate identification of all
users of system resources (basically no generic accounts). The
current account request system works on the honor system.

I am re-building it with two goals in mind, one get it off of Cold
Fusion, and two verify credentials against main campus domain.

Current State:

Everything is working, however when the students request an account
they specify what classes they are taking and are added to
corresponding groups in order to have access to resources on the
server that are specific to that class.

I was hoping I could generate my own SID and GUID so that I wouldn't
have to wait for AD as it is remarkably slow (everything else is done
though LDAP). I guess I'll just have to have it sleep for a while or
move the group membership functionality out into a server side script
that runs every 15 minutes. I'm really just trying to optimize stuff.

The current system is being written in Ruby On Rails.

I am creating the user in AD but I was hoping to do it using LDAP
rather than letting AD create the user.

The problem is that it takes AD up to a minute to process the request
and create the account in the database. I can do it faster with LDAP,
however I don't know how to create SID and GUID entries.

I guess the user doesn't have to exist before they are added to the
group though. I could try that, otherwise I have to wait for the
account to appear in LDAP before I can add them to the appropriate
groups.

Joe,

I'm saying it takes at least a minute to add an account when I do it
through adsi which from my understanding is just an API for AD. When
I make modifications through LDAP directly, by-passing AD, they happen
immediately. This could be due to the DB Backend on the DC but it
could also be due to AD doing a bunch of stuff I don't need it to do.

If I can make an entry in the directory and AD will automatically
generate a SID and GUID on first access if the object doesn't have one
then that's great. I don't want to do that if I don't know what will
happen though.

Technically I can add it to the group, all I have to do is modify the
members attribute with the value that corresponds to the user that is
going to be created. My worry here is what will happen if the group
is queried and it has a member the directory doesn't know about, i.e.
how finicky is Active Directory, will it just ignore the entry, will
it remove the entry, will it roll-over and die?

I was just wondering if anyone knew what technique Microsoft uses to
generate the GUID and SID values. If I knew that I could make my own
and enter my users manually without interfacing with AD's APIs. It
would also make my code more portable which could be beneficial in the
future.

.

Relevant Pages

  • Re: Creating SID Manaully
    ... Those typically use LDAP under the hood to actually create the user ... you can't specify the GUID or SID. ... however when the students request an account ...
    (microsoft.public.windows.server.active_directory)
  • Debian multi-domain authentication (using a LDAP backend)
    ... thus your users ended up with unique SIDs as the domain SID is prefixed to ... setup has side-stepped the issue by using LDAP for SSO ... a similar setup to the Windows trusted domain arrangement; ... specify multiple valid subtrees in the filters otherwise. ...
    (Debian-User)
  • Re: Authenticate to local ADAM instance with local Windows credentials
    ... On Apr 11, 11:29 am, "Joe Kaplan" ... LDAP bind using the GSS-SPNEGO SASL mechanism. ... stack supports that depends on which one you are using. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2003 Server LDAP.
    ... "Joe Kaplan" wrote: ... uses LDAP simple bind to connect to AD. ... SSL is that LDAP simple bind is not secure because it uses plaintext ... 'address book' in accessories to test it before trying on the copier. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enable LDAP over SSL
    ... "Joe Kaplan" wrote: ... To ensure this root certificate is valid on the remote computer, ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Event Category: LDAP Interface ...
    (microsoft.public.windows.server.active_directory)
Loading