Reading Active Directory fields

[Markus]

I would like to eliminate the need to login to my app by using Active
Directory (AD). That is, if a valid user has logged in to the network (AD
login) then I will assume they have the right to run my app. However, I
still need to add them to my apps user table.

To do this, when they attempt to run my app, I need to read the name of the
current logged user, check to see if they are in my user table, and if not,
add them. When I add them, I would like to get their login name, full name,
phone, email, and AD group name to store into my user table.

Can anyone help me on programmatically reading the AD database to get this
info?

Thanks for any and all ideas on this,
Mark

 

[Tony Toews [MVP]]

I would like to eliminate the need to login to my app by using Active
Directory (AD). That is, if a valid user has logged in to the network (AD
login) then I will assume they have the right to run my app. However, I
still need to add them to my apps user table.

To do this, when they attempt to run my app, I need to read the name of the
current logged user, check to see if they are in my user table, and if not,
add them.

API: Get Login name
http://www.mvps.org/access/api/api0008.htm

When I add them, I would like to get their login name, full name,
phone, email, and AD group name to store into my user table.

Why store the data redundantly when it's in the AD? What happens if
the data changes? If you must store it in the tables for performance
reasons then the data should be read and, if required, updated every
time they enter the database.

I kept a page of notes when I was working on this topic. Below is
every link I found useful or not. Some may or may not be useful to
you.


Enumerating Local Groups and Descriptions with NetLocalGroupEnum
Pasted from
<http://vbnet.mvps.org/code/network/netlocalgroupenumdesc.htm>

Enumerating Members of a Group with NetLocalGroupGetMembers
Pasted from
<http://vbnet.mvps.org/code/network/netgocalgroupgetmembers.htm>

Xcacls.exe
Pasted from
<http://support.microsoft.com/default.aspx?scid=KB;EN-US;825751>

How To Use High-Level Access Control APIs from Visual Basic
Pasted from
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;295004>

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/iadsgroup.asp

http://groups.google.ca/groups?hl=e...=off&q=adsi+search+organizationalunit&spell=1

ldap

http://msdn.microsoft.com/library/d...ry/en-us/dnanchor/html/anch_activediradsi.asp

Active Directory Service Interfaces Quick-start Tutorials
Pasted from
<http://msdn.microsoft.com/library/en-us/adsi/adsi/adsi_quick-start_tutorials.asp?frame=true>

IADsAccessControlEntry
Pasted from
<http://msdn.microsoft.com/library/en-us/adsi/adsi/iadsaccesscontrolentry.asp?frame=true>

An ADSI Primer, Part 11: More on Scripting Permissions and Auditing
(Windows Scripting though)
Pasted from
<http://www.windowsitpro.com/WindowsScripting/Article/ArticleID/7456/7456.html>

Various constants are at the following:
http://www.serverwatch.com/tutorials/article.php/1476721

Security and Access Rights
http://msdn.microsoft.com/library/d...leio/base/file_security_and_access_rights.asp


Also Richard is a fellow MVP and has lots of sample code at his
website. It's VBScript but should still work reasonably well.

http://www.rlmueller.net/products.htm




ADO

Using ADO, you can use Provider=ADsDSOObject:

"Provider=ADSDSOObject;User ID=MyUserID;Password=MyPassword;"

and query using LDAP SQL:

SELECT ADsPath, cn FROM 'LDAP://OU=Sales,DC=Fabrikam,DC=COM' WHERE
objectCategory='person' AND objectClass ='user'

It is possible to bind a form to an ADO recordset, but it doesn't
always
work.

--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/

 

[Kanth]

Markus,


You can use the following script to get the user information.

'Script
'------------------------------------
Dim objFSO, objFolder, objShell, objFile, objWshNetwork, objADsUser,
objTextFile
Dim strDirectory, strFile, strUserName, strLdapString, intLogonTime

strUserName = InputBox ("UserID?", "Get User Information")
strLdapString = fGetLdapObject(strUserName, "user")

If strLdapString = "" Then

MsgBox "UserID Not Found", 16, "Get User Information"

Else

Set objADsUser = GetObject(strLdapString)


wscript.echo "Login Name" & vbTab & ": " & strUserName & vbCrlf & vbCrlf
wscript.echo "Display name" & vbTab & ": " & objADsUser.DisplayName & vbCrlf
wscript.echo "First name" & vbTab & ": " & objADsUser.FirstName & vbCrlf
wscript.echo "Last name" & vbTab & ": " & objADsUser.LastName & vbCrlf
'wscript.echo "Company" & vbTab & vbTab & ": " & objADsUser.Company & vbCrlf
'wscript.echo "Address" & vbTab & vbTab & ": "& objADSUser.streetAddress
wscript.echo "Mail" & vbTab & vbTab &": " & objADsUser.Mail & vbCrlf
'wscript.echo "Profile path" & vbTab & ": " & objADsUser.ProfilePath & vbCrlf
'wscript.echo "TS Profile path" & vbTab & ": " &
objADsUser.TerminalServicesProfilePath & vbCrlf
'wscript.echo "TS Home Drive" & vbTab & ": " &
objADsUser.TerminalServicesHomeDrive & vbCrlf
'wscript.echo "TS Home Folder" & vbTab & ": " &
objADsUser.TerminalServicesHomeDirectory & vbCrlf & vbCrlf


End if

Function fGetLdapObject(strName, strClass)

Dim sSearchFilter
Dim ds
Dim con
Dim rs
Dim Com
Dim oIADs
Dim sLdap
Dim sUserADsPath

Set ds = GetObject("LDAP://RootDSE")
sLdap = "LDAP://" & ds.Get("defaultNamingContext")
Set ds = Nothing
Set oIADs = GetObject(sLdap)
sSearchFilter = "samaccountname='" & strName & "' and objectClass = '" &
strClass & "' and objectClass <> 'computer' and cn <>

'systemmailbox*'"
Set con = CreateObject("ADODB.Connection")
Set com = CreateObject("ADODB.Command")

con.Provider = "ADsDSOObject"

con.Open "Active Directory Provider"

Set Com.ActiveConnection = con

Com.CommandText = "SELECT AdsPath FROM '" & oIADs.ADsPath & "' WHERE " &
sSearchFilter

Set rs = Com.Execute

If Not rs.EOF Then
rs.MoveFirst
fGetLdapObject = rs.Fields("AdsPath")
Else
fGetLdapObject = ""
End If
Set ds = Nothing
Set con = Nothing
Set rs = Nothing
Set Com = Nothing
Set oIADs = Nothing
End Function

'---------------------------------------
'End Script

 

[a a r o n _ k e m p f]

Tony;

that is just stupidest answer I've ever seen in my whole life.

If you want to use active-directory for authentication; then you NEED
to use SQL Server.

Access Data Projects are the most efficient way to implement secure
applications using MS Access.
BTW, they even revoved Jet Security (ULS) from Access 2007 (format)

 

[Markus]

Tony,

If I elect to just use ADS to store the info, does the search for that info
cause a longer delay in getting it than if it were stored in a local table?

Thanks for all the info here, looks like I have some reading to do.
Mark

 

[BruceM]

It has been repeatedly explained to you that ULS can be used with Access
2007 if it is using Access 2003 format. A lot of programs can work with
files created in previous versions of the program, and can create files in
formats used be previous versions. Access 2007 can create and/or work with
Access 2003 databases, including ULS. Argue if you wish that ULS is
inadequate, but it is a matter of fact that it can be used with the Access
2007 DBMS.

Tony;

that is just stupidest answer I've ever seen in my whole life.

If you want to use active-directory for authentication; then you NEED
to use SQL Server.

Access Data Projects are the most efficient way to implement secure
applications using MS Access.
BTW, they even revoved Jet Security (ULS) from Access 2007 (format)

 

[Tony Toews [MVP]]

If I elect to just use ADS to store the info, does the search for that info
cause a longer delay in getting it than if it were stored in a local table?

You're not storing the info, you are just reading it. Reading the
AD seemed reasonably quick from what I could see but as I was doing
work on this for another purpose which required reading the AD I never
got much into the performance aspect.

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/

 

[Roseanne]

Hi,
I am trying to do something very similar in my Access db. I need to
retrieve the group of the user to use in my code. I can connect to AD fine
using the code below but having trouble pulling the group of the user. I am
very new to this and hope I'm being clear.

Thanks for your help,
Roseanne