ADSI Connector
Overview
The ADSIConnector operates with Windows NT security database. It deals with
NT’s users
and groups
– the two basic entities of the NT security database. The Connector can
both read and modify NT security database on the local NT machine, the
Primary Domain Controller machine and the Primary Domain Controller
machine of another domain.
Full functional specification of ADSIConnector,
architecture description as well as hardware and software requirements can
be found here.
Example
A demo package containing ready to run configurations for each of the
ADSI Connector's modes is included here.
Preconditions
In order to
successfully run ADSIConnector and obtain all its functionality the Connector
should be run in a process owned by a user - member of the local
Administrators group and have login privileges to the domain controller
and other domains (if accessed). This precondition can be omitted if the UserName and
Password parameters of the Connector are set to specify account with the
requirements stated above.
ADSIConnector
is designed and implemented to work in the following modes: Iterator,
Lookup, AddOnly, Delete, Update. Tuning and using the Connector in each of
the specified modes is just as with any other Connector. However there are
some specifics due to the underlying NT architecture, WinAPI calls and
Users/Groups data structures that have to be paid attention.
Configuration
The Connector needs the following parameters:
Parameter |
Description |
ComputerName |
The name of the machine (for example
“ntserver01”) or its IP address (for example “212.52.2.218”) where
the Connector will operate. |
EntryType
|
Should be set to either “User” (specifying
that the Connector will operate with data structured by Users) or
“Group” (specifying that the Connector will operate with data
structured by Groups).
|
UserName |
If set blank no logon
on the specified machine is performed and ADSIConnector will have
the privileges of the process in which MI is run. If some value is
set then the Connector will attempt to logon on the ComputerName
machine with this user name and the password specified by the Password parameter. |
Password |
The value of this
parameter is taken in account only when the parameter UserName is
set no-blank value. It then specifies the password used for the
logon operations. |
Constructing “Link Criteria”
One has to construct link criteria when using the Connector in Lookup, Update and Delete modes. ADSIConnector supports just
“Link Criteria” that uniquely identifies one entry. The format is strict
and passing a “Link Criteria” that doesn’t match this format results in
exception saying "Unsupported Link Criteria structure."
Here is the “Link Criteria” structure that has to be
used:
User (Connector’s EntryType
parameter is set to “User”). Consist of just one row
where: o “Connector Attribute” is set to
“UserName” o “Operand” is set to “equals”
o “Value” is set to a name of a user account (i.e. user name) or configured
by a template to receive the name of a user account.
Group (Connector’s EntryType
parameter is set to “Group”). Consists of two rows as follows (the order
is vital): First
row: o “Connector Attribute” is set to
“GroupName” o “Operand” is set to “equals” o “Value” is
set to a name of a group account (i.e. group name) or configured by a
template to receive the name of a group account. Second
Row: o “Connector Attribute” is set to
“IsGlobal” o “Operand” is set to “equals” o “Value” is
set to “True” to indicate that the group account specified in the first
row is global and “False” – to indicate that the group account is local.
Can also be configured by a template to receive “True” or “False” values
indicating global or local group accounts.
Other
User/Group account names
o On Domain Controller Machine Users and groups are retrieved
and should be accessed in the following formats: <USER_NAME>, <GROUP_NAME>.
o On Non Domain Controller Machine Local users and groups are
retrieved and should be accessed in the format <USER_NAME>, <GROUP_NAME>.
Global groups and domain users (can be members of a local group on a
non domain controller machine) are retrieved and should be accessed in the
format <DOMAIN_NAME>\<GLOBAL_GROUP_NAME>,
<DOMAIN_NAME>\<
USER_NAME>.
Setting user’s password
Remember that user’s password value cannot be retrieved. NT stores this
in a manner that cannot be read. If an AssemblyLine copies users from one
NT machine to another you will need to set the “Password” attribute value
manually. When adding a user passing the “Password” attribute with no
value will result in creating a user with an empty password. When
modifying a user passing the “Password” attribute with no value will
result in keeping the old password.
Setting user’s Primary Group / global groups membership
Applies only for domain users (users on the Primary Domain Controller
machine). A user should always be a member of his Primary Group. This
means that the value set to the “PrimaryGroup” attribute should present in
the “GlobalGroups” attribute. However the “PrimaryGroup” attribute can be
set with no value when adding a user – then default Primary Group is set
to the user (Domain Users).
Operating with groups
There are certain groups that are predefined and “special” for Windows
NT. And there are certain operations that are not allowed on these groups.
Such operations are: delete, rename and modification of some of their
attributes. Any attempt to try illegal operation over any of these groups
will result in exception.
Here is the list of these groups, structured by NT installations:
Domain Controller: Global
groups o Domain
Admins o Domain
Users Local
groups
o Administrators
o Users
o Guests
o Backup
operators
o Replicator
o Account
operators o Print
operators
o Server operators
Non Domain Controller: Local
groups
o Administrators
o Users
o Guests
o Backup
operators
o Replicator
o Power Users
Example
Demo package containing ready to run configurations for each of
the ADSI Connector's modes is included here.
Downloads
Included in base product
|