We have an in-house database that works with Users & Groups, and assigns Rights to certain Groups, and assigns Groups to Users.
We're looking to integrate this with Active Directory and I had a few questions on the subject.
If our software creates the groups "Administrators" and "Employees", how do we go about assigning AD users to these groups? Is this something where the local system administrator who wants to use our software will have to make compatible groups to match up with the groups we've defined in our software?
Basically, I would like some references, or clarification on the process of giving our internal rights to AD Users / Groups. We're using SQLite to provide an embedded, encrypted Database which holds our internal users/groups/rights.
Thank you!
If you just want to 'clone' the users that exist in the directory server, you can do it with a batch file or powershell (or C# if you prefer) script that just iterates over the directory groups/users and recreates them in their representation in your application.
If you are trying to authenticate via a directory server, and get the user information from the thread identity or from the other authentication mechanisms in .net land, you'll need to get a bit dirty, especially if the directory server software and versions vary from customer to customer.
Which is your goal?
Related
I am writing a C# winform and trying to get a list of computers in a domain from one user account using active Directory (AD) but I can't seem to figure it out.
Any guidance or samples would be much appreciated.
Thanks
JPL
The only way AD can enforce this is with the list of machines a user is allowed to logon to, which is an attribute of the user, not the computer. It's a legacy feature and probably not what you're expecting.
In practice, computers define who can logon to them based on a number of security rights, e.g. Allow Logon Locally, Allow Logon via Remote Desktop, etc. You would need to query each computer to find out what users/groups are in those rights, and then compare that to the user's token to see if there's a match.
working on an application that wants to now integrate active directory. should be able to import users from active directory, as well as reflect changes for example if a user is created/deleted/update etc in active directory the user should be created/deleted/updated in the database table the application reads from. I kno that LDap can be used to query the Active Directory to import users, but not sure how to cater for the other areas.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms677625%28v=vs.85%29.aspx
The previously supplied link is a good one. Of those ideas, my general suggestion is to use DirSync. It allows you to poll AD with a token and get all changes since the previous poll. All you have to do is remember the token (it comes back with the response to the query).
Not sure if there is another thread with the answer, but tried looking and nothing stood out.
Our company runs Windows Server 2008 R2 and as part of the normal login procedure you type your username and password. IT sets the domain when you get your PC so that is all good. So, when you open IE, the intranet sight detects that you are person XXX YYY and then logs you into the site automatically as the right person.
Now is there any way that I can do the same with an application written in C# or VB.NET. I.e., I would like the user to not have to log in as they have already done so during Windows log in, and then use the application as the indicidual user. This is for loggin purposes and specific rights for each group. (like admins or guests etc)
You can use Environment.UserName to get the username of the current user, but you will still need to store some permissions pertaining to this user somewhere.
You can make people a member of an Active Directory group and then grant them permissions based on which group they are a member of but this will require that you (or your application) has the ability to create AD groups and move people in and out of them. If you need some pointers to this then I can find some code.
I'm developing an application that manages information about users and save the data in a SQL Server. I would like to 'somehow' connect this application with our Active Directory, so all the changes this app will make will be reflected in the Active Directory too (if we add a new user in the app, it will be added also in the Active Directory)
Is it possible? if so, which are my options?
Thanks in advance
Don't do it. Let AD be the authoritative copy of your user base, and let the users always be created in AD first and then propagate to SQL. By letting users be added through a different path (SQL first) you open a huge can of worms with regard to security. If a user is defined in SQL but not in AD, what exactly is taht user? How can he log in? To what groups does he belong? IS he allowed access or not to this resource or that resource? How about cases when an user is added in AD and in SQL with different characteristics and then you need to reconcile.
Modify your application do always create the user in AD, in conformance with the AD policies and security requirements (password complexity being the most trivial example). Then let AD synchronize with SQL.
The way I chose to solve this problem was to add an event that was triggered when I saved my user object. The listener on this event would then send an update to Active Directory. In my case I was doing a one way sync to Active Directory and it was also a best effort attempt, meaning if it failed I was fine with it. If you need to do some more reliability around it you will want to wrap your SQL updates inside of a transaction and only commit after active directory is updated.
If you need a two way sync with Active Directory you will need to look at doing some sort of a background synchronization with Active Directory where you iterate over your users and check for updates in AD.
If you are doing a one-way sync to AD, I agree with Aaron that you should simply have a Trigger in SQL server. Note that this solution may suffer from some problems, like the user accounts already created, user name or password doesn't meet the AD complexity rule. You need to then find some ways to log the error. You may also need a tool to do initial provisioning of your database accounts.
If you want to do two-way sync, I suggest you to read up DirSync. You probably need to write a NT service to do it. I hope you don't store password in your database. I highly suggest you to use Windows authentication. If you do need to sync up the password, you may need to write your own passwordsync and install it in all the domain controllers in your machine.
If you are developing a solution for enterprise, you should look up the existing meta-directory solution products from Microsoft, MIIS, ILM, FIM.
They are all the same thing except with the names different. Many enterprise has adopted this as their meta directory solution. You just need to write up an extension to leverage on its provided infrastructures to do the identity synchronization.
We have a bespoke c# web app that stores extra information about a physical folder structure. Every folder or file in the company share has a record in sql. We use the web app to search these records. I want to store active directory permissions of the physical paths against the sql records.
What is the preferred method of querying AD in c# (.net 3.5)?
Do I store the friendly group/user name or the SID?
Is the SID unique?
Does the SID change if a user moves to another location (differnet OU)?
The idea is that the query can look like this...
SELECT CompanyDoc.Name, CompanyDoc.Path
FROM CompanyDoc
INNER JOIN Permission ON CompanyDoc.ID = Permissions.CompanyDocID
WHERE CompanyDoc.MetaData = #serach param
AND Permission.SID IN ( #userSidList )
GROUP BY CompanyDoc.Name, CompanyDoc.Path
1) You can't query AD to get the permissions on the file. You have to query the filesystem for that. You can get the users and roles by querying AD, though.
2) The SID.
3) Yes, for your AD users it is. For special built-in accounts, they will be shared across systems.
4) No.
By the way, the whole concept of your app kind of scares me. It sounds like you might need to go back to the drawing board.
I can't answer all of your points but for point 1. try looking at LINQ To AD It is a nice way to talk to Active Directory from C# since you are already in .NET 3.5.
There's an excellent MSDN Magazine Article available which shows how to query for and manage user and groups in .NET 3.5 Active Directory (the "System.DirectoryServices.AccountManagement" namespace):
Managing Directory Security Principals in the .NET Framework 3.5
That should help you get started.
Marc