working on an application that wants to now integrate active directory. should be able to import users from active directory, as well as reflect changes for example if a user is created/deleted/update etc in active directory the user should be created/deleted/updated in the database table the application reads from. I kno that LDap can be used to query the Active Directory to import users, but not sure how to cater for the other areas.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms677625%28v=vs.85%29.aspx
The previously supplied link is a good one. Of those ideas, my general suggestion is to use DirSync. It allows you to poll AD with a token and get all changes since the previous poll. All you have to do is remember the token (it comes back with the response to the query).
Related
We have an in-house database that works with Users & Groups, and assigns Rights to certain Groups, and assigns Groups to Users.
We're looking to integrate this with Active Directory and I had a few questions on the subject.
If our software creates the groups "Administrators" and "Employees", how do we go about assigning AD users to these groups? Is this something where the local system administrator who wants to use our software will have to make compatible groups to match up with the groups we've defined in our software?
Basically, I would like some references, or clarification on the process of giving our internal rights to AD Users / Groups. We're using SQLite to provide an embedded, encrypted Database which holds our internal users/groups/rights.
Thank you!
If you just want to 'clone' the users that exist in the directory server, you can do it with a batch file or powershell (or C# if you prefer) script that just iterates over the directory groups/users and recreates them in their representation in your application.
If you are trying to authenticate via a directory server, and get the user information from the thread identity or from the other authentication mechanisms in .net land, you'll need to get a bit dirty, especially if the directory server software and versions vary from customer to customer.
Which is your goal?
I have a app that is running on a Remote Desktop Session Host Server that is tracking user logon/logoff/idle times, however I do not know where a good place to store the data I am gathering.
The user turnover rate is fairly high, a user account will only exist for 1-4 months and will have at most about 3KB of XML formatted logs associated with it.
The data needs to be retrievable from other users (specifically a service that other users query) so I think storing it in the users AppData folder is out of the question.
I was thinking storing a XML log in a Active Directory Attribute but I do not know if Active Directory is really designed to store text blobs in the 3KB range.
My last thought was using something like a SQLite database. However with the high user turnover rate I was hoping to use something that was stored per user. That way when the user is deleted the records are deleted with the user and I don't need to worry about keeping a database in sync if a user is deleted via methods outside of the management software I have set up.
What is the best option to log records in this situation?
I would suggest a log-folder containing sub-folders per user.
Running a (scheduled) powershell script to cleanup after deleting the account, or archiving if historical info suddenly gets a value.
The data is then at a specified location, easy locatable and accessible for (only) the user without polluting the AD.
We have the ability of "AutoLogin" in our systems.
So if I create a new user in AD as "John" - then John has the ability to access the intranet web site ( we query AD to see if the current user is in AD).
But
We also have a users table (SQL Server) which needs to have the FirstName and LastName of the new user.
We want to update that Users table each time a new user in AD is created - some C# code should be run to enter the relevant data into SQL Server (and some other things).
HOw can I catch the event of "new user in AD created" ?
Check out Ryan Dunn's excellent blog post:
Implementing Change Notifications in .NET
that deals with this exact topic. He offers three options:
Polling for Changes using uSNChanged
Polling for Changes Using the DirSync Control
Change Notifications in Active Directory
and shows pros and cons for each of the options, and some C# code for the third option (Change Notifications).
You can use System.DirectoryServices.Protocols.DirectoryNotificationControl from C# for this purpose so you don't have to poll AD for changes.
WMI is perhaps a second solution you can dig in.It exists AD WMI Providers. Using WMI to Monitor AD gives you some clues about that. This article don't do more than what you get so far, but I think that with WMI events you can create the notifications you need. You can find Microsoft informations about this begining in Monitoring Active Directory Health, especialy Active Directory WMI Providers.
It is unlikely that you can capture that kind of event without wrapping the actual function of adding the new user into some kind of c# routine. If you go down this route, you can add the used to AD and mysql at the same time.
Another option would be to poll the AD users and check this against the existing mysql users and add new when found.
... I want to grant a user temporary administrator privileges via a c# tool. Therefore i add the user to the administrator user group (a background service running under a priviledged service account does this job). However the changes take effect only in new sessions (after Logout/Re-Login) which is inconvenient. Is there a way to refresh the current user profile?
I tried several ways:
via .net Process.Start with the LoadUserProfile property set to true.
The next try was via the LoadUserProfile Win32 Api function.
Another way was to impersonate the user with .net Impersonation
All these tries did not recognize the privilege changes. It seems to me that there is a cached user profile which contains the old privileges and is reloaded anytime.
The only way where a new profile was loaded is the runas command, however we do not want the user to play around with the command line, it should be possible to do this from .net
Would be great if there is another option? Maybe there is a tool which can do this?
Ok, I relog-in the user and then I use the new Token in combination with e.g. CreateProcessAsUser to run a new process using the new token. Is there a way to assign the current windows environment the new token and therefore all actions the user performs in windows use this new token? Otherwise I could use some other tools like lsrunas to open a process in a new context and avoid the winapi calls.
From our perspective we trust the user (it is his private notebook), he can install the software he wants (for a temporary time), but we document each installation with our tool. We are running a service with local admin account in background which manages the group assignment and system documentation.
When logging on to Windows a security token is created, where all group memberships (including nested memberships) are resolved. The token contains a list of SIDs (Security Identifiers) that the user belongs to. The first SID is the user's own ID and then any groups and roles (such as interactive log on, everyone etc) are included. This means that group membership doesn not have to be looked up against the user DB - possibly an Active Directory Server - each time an access control is done. Instead the ACL (Access Control List) of the object (e.g. a file) is checked against the token.
To refresh the group membership you need to have a new token created. Either you can log out and then log in again as you describe it, or you have to do another login with LogonUser for the same user. That function is not accessible for normal user however.
I think that it all boils down to finding another design. Adding and removing a user from the admin group dynamically looks strange from a security perspective. Is there any other way you can give the user access to the resources needed? Can you do the actual work from within a Windows Service that runs under the LocalSystem account?
I'm developing an application that manages information about users and save the data in a SQL Server. I would like to 'somehow' connect this application with our Active Directory, so all the changes this app will make will be reflected in the Active Directory too (if we add a new user in the app, it will be added also in the Active Directory)
Is it possible? if so, which are my options?
Thanks in advance
Don't do it. Let AD be the authoritative copy of your user base, and let the users always be created in AD first and then propagate to SQL. By letting users be added through a different path (SQL first) you open a huge can of worms with regard to security. If a user is defined in SQL but not in AD, what exactly is taht user? How can he log in? To what groups does he belong? IS he allowed access or not to this resource or that resource? How about cases when an user is added in AD and in SQL with different characteristics and then you need to reconcile.
Modify your application do always create the user in AD, in conformance with the AD policies and security requirements (password complexity being the most trivial example). Then let AD synchronize with SQL.
The way I chose to solve this problem was to add an event that was triggered when I saved my user object. The listener on this event would then send an update to Active Directory. In my case I was doing a one way sync to Active Directory and it was also a best effort attempt, meaning if it failed I was fine with it. If you need to do some more reliability around it you will want to wrap your SQL updates inside of a transaction and only commit after active directory is updated.
If you need a two way sync with Active Directory you will need to look at doing some sort of a background synchronization with Active Directory where you iterate over your users and check for updates in AD.
If you are doing a one-way sync to AD, I agree with Aaron that you should simply have a Trigger in SQL server. Note that this solution may suffer from some problems, like the user accounts already created, user name or password doesn't meet the AD complexity rule. You need to then find some ways to log the error. You may also need a tool to do initial provisioning of your database accounts.
If you want to do two-way sync, I suggest you to read up DirSync. You probably need to write a NT service to do it. I hope you don't store password in your database. I highly suggest you to use Windows authentication. If you do need to sync up the password, you may need to write your own passwordsync and install it in all the domain controllers in your machine.
If you are developing a solution for enterprise, you should look up the existing meta-directory solution products from Microsoft, MIIS, ILM, FIM.
They are all the same thing except with the names different. Many enterprise has adopted this as their meta directory solution. You just need to write up an extension to leverage on its provided infrastructures to do the identity synchronization.