Metamerge logo
Search

Advanced Search
*
*
*
* HOME DOCUMENTS & RESOURCES DOWNLOADS EARLY TECH ACCESS SUPPORT FAQ KNOWN ISSUES OLD VERSIONS
*

 

NT4 Connector

Overview

The NT4Connector operates with Windows NT security database. It deals with NT’s users and groups – the two basic entities of the NT security database. The Connector can both read and modify NT security database on the local NT machine, the Primary Domain Controller machine and the Primary Domain Controller machine of another domain.

The Connector is designed to connect to the NT4/win2000 SAM databases through the Win32 API for NT/2000 user/group accounts.  You can connect to a Win2000's SAM database, but the Connector will only read/write attributes that are backward-compatible with NT4 (in other words, the Connector has  predefined and static attribute map table consisting of NT4 attributes). Win2000 native attributes or user defined attributes are therefore not supported by the Connector.

Full functional specification of NT4Connector, architecture description as well as hardware and software requirements can be found here.

Example

A demo package containing ready to run configurations for each of the NT4 Connector's modes is included here.

Preconditions

In order to successfully run NT4Connector and obtain all its functionality the Connector should be run in a process owned by a user - member of the local Administrators group and have login privileges to the domain controller and other domains (if accessed).
This precondition can be omitted if the UserName and Password parameters of the Connector are set to specify account with the requirements stated above.

 

NT4Connector is designed and implemented to work in the following modes: Iterator, Lookup, AddOnly, Delete, Update. Tuning and using the Connector in each of the specified modes is just as with any other Connector. However there are some specifics due to the underlying NT architecture, WinAPI calls and Users/Groups data structures that have to be paid attention.

Configuration

The Connector needs the following parameters:

Parameter

Description

ComputerName The name of the machine (for example “ntserver01”) or its IP address (for example “212.52.2.218”) where the Connector will operate.
EntryType

Should be set to either “User” (specifying that the Connector will operate with data structured by Users) or “Group” (specifying that the Connector will operate with data structured by Groups).

UserName If set blank no logon on the specified machine is performed and NT4Connector will have the privileges of the process in which MI is run. If some value is set then the Connector will attempt to logon on the ComputerName machine with this user name and the password specified by the Password parameter.
Password The value of this parameter is taken in account only when the parameter UserName is set no-blank value. It then specifies the password used for the logon operations.
PageSize Specifies the number of Entries (Users and Global Groups) that NT/AD will return in one chunk when the Connector retrieves Users and Global Groups. Should be a number between 1 and 100.

 

Constructing “Link Criteria”

One has to construct link criteria when using the Connector in Lookup, Update and Delete modes. NT4Connector supports just “Link Criteria” that uniquely identifies one entry. The format is strict and passing a “Link Criteria” that doesn’t match this format results in exception saying "Unsupported Link Criteria structure."

Here is the “Link Criteria” structure that has to be used:

User (Connector’s EntryType parameter is set to “User”). Consist of just one row where:
 o “Connector Attribute” is set to “UserName”
 o “Operand” is set to “equals”
 o “Value” is set to a name of a user account (i.e. user name) or configured by a template to receive the name of a user account.

Group (Connector’s EntryType parameter is set to “Group”). Consists of two rows as follows (the order is vital):
First row:
 o “Connector Attribute” is set to “GroupName”
 o “Operand” is set to “equals”
 o “Value” is set to a name of a group account (i.e. group name) or configured by a template to receive the name of a group account.
Second Row:
 o “Connector Attribute” is set to “IsGlobal”
 o “Operand” is set to “equals”
 o “Value” is set to “True” to indicate that the group account specified in the first row is global and “False” – to indicate that the group account is local. Can also be configured by a template to receive “True” or “False” values indicating global or local group accounts.

 

Other

User/Group account names

 o On Domain Controller Machine
Users and groups are retrieved and should be accessed in the following formats: <USER_NAME>, <GROUP_NAME>.

 o On Non Domain Controller Machine
Local users and groups are retrieved and should be accessed in the format  <USER_NAME>, <GROUP_NAME>.

Global groups and domain users (can be members of a local group on a non domain controller machine) are retrieved and should be accessed in the format <DOMAIN_NAME>\<GLOBAL_GROUP_NAME>, <DOMAIN_NAME>\<USER_NAME>.


Creating a new user

If, when creating a new user with the Connector, any of the following Attributes is omitted (or assigned a "null" value), it is automatically assigned a default value as follows:
o Flags: The account is marked as "normal account" and "user password never expires".
o AccountExpDate: A value that indicates that the "account never expires" is set.
o LogonHours: A value that indicates that there is "no time restriction" is set (i.e. the user may log on always).


Setting user’s password

Remember that user’s password value cannot be retrieved. NT stores this in a manner that cannot be read. If an AssemblyLine copies users from one NT machine to another you will need to set the “Password” attribute value manually.
When adding a user passing the “Password” attribute with no value will result in creating a user with an empty password.
When modifying a user passing the “Password” attribute with no value will result in keeping the old password.


Setting user’s Primary Group / global groups membership

Applies only for domain users (users on the Primary Domain Controller machine). A user should always be a member of his Primary Group. This means that the value set to the “PrimaryGroup” attribute should present in the “GlobalGroups” attribute. However the “PrimaryGroup” attribute can be set with no value when adding a user – then default Primary Group is set to the user (Domain Users).


Operating with groups

There are certain groups that are predefined and “special” for Windows NT. And there are certain operations that are not allowed on these groups. Such operations are: delete, rename and modification of some of their attributes. Any attempt to try illegal operation over any of these groups will result in exception.

Here is the list of these groups, structured by NT installations:

Domain Controller:
    Global groups
        o Domain Admins
        o Domain Users
    Local groups
        o Administrators 
        o Users 
        o Guests 
        o Backup operators 
        o Replicator
        o Account operators 
        o Print operators 
        o Server operators

Non Domain Controller:
    Local groups
        o Administrators 
        o Users 
        o Guests 
        o Backup operators 
        o Replicator
        o Power Users

Character sets

Unicode is supported.

Example

A demo package containing ready to run configurations for each of the NT4 Connector's modes is included here.

Downloads

Included in base product

 

 

*
  Metamerge Integrator version 4.6 ©Copyright Metamerge AS 2000-2002 Last edited 2002-06-10 contact us