*
Metamerge logo
Search

Advanced Search
*
*
*
* HOME DOCUMENTS & RESOURCES DOWNLOADS EARLY TECH ACCESS SUPPORT FAQ KNOWN ISSUES OLD VERSIONS
*

ADSI Connector

Overview

The ADSIConnector operates with Windows NT security database. It deals with NT’s users and groups – the two basic entities of the NT security database. The Connector can both read and modify NT security database on the local NT machine, the Primary Domain Controller machine and the Primary Domain Controller machine of another domain.

Full functional specification of ADSIConnector, architecture description as well as hardware and software requirements can be found here.

Example

A demo package containing ready to run configurations for each of the ADSI Connector's modes is included here.

Preconditions

In order to successfully run ADSIConnector and obtain all its functionality the Connector should be run in a process owned by a user - member of the local Administrators group and have login privileges to the domain controller and other domains (if accessed).
This precondition can be omitted if the UserName and Password parameters of the Connector are set to specify account with the requirements stated above.

 

ADSIConnector is designed and implemented to work in the following modes: Iterator, Lookup, AddOnly, Delete, Update. Tuning and using the Connector in each of the specified modes is just as with any other Connector. However there are some specifics due to the underlying NT architecture, WinAPI calls and Users/Groups data structures that have to be paid attention.

Configuration

The Connector needs the following parameters:

Parameter

Description

ComputerName The name of the machine (for example “ntserver01”) or its IP address (for example “212.52.2.218”) where the Connector will operate.
EntryType

Should be set to either “User” (specifying that the Connector will operate with data structured by Users) or “Group” (specifying that the Connector will operate with data structured by Groups).

UserName If set blank no logon on the specified machine is performed and ADSIConnector will have the privileges of the process in which MI is run. If some value is set then the Connector will attempt to logon on the ComputerName machine with this user name and the password specified by the Password parameter.
Password The value of this parameter is taken in account only when the parameter UserName is set no-blank value. It then specifies the password used for the logon operations.

 

Constructing “Link Criteria”

One has to construct link criteria when using the Connector in Lookup, Update and Delete modes. ADSIConnector supports just “Link Criteria” that uniquely identifies one entry. The format is strict and passing a “Link Criteria” that doesn’t match this format results in exception saying "Unsupported Link Criteria structure."

Here is the “Link Criteria” structure that has to be used:

User (Connector’s EntryType parameter is set to “User”). Consist of just one row where:
 o “Connector Attribute” is set to “UserName”
 o “Operand” is set to “equals”
 o “Value” is set to a name of a user account (i.e. user name) or configured by a template to receive the name of a user account.

Group (Connector’s EntryType parameter is set to “Group”). Consists of two rows as follows (the order is vital):
First row:
 o “Connector Attribute” is set to “GroupName”
 o “Operand” is set to “equals”
 o “Value” is set to a name of a group account (i.e. group name) or configured by a template to receive the name of a group account.
Second Row:
 o “Connector Attribute” is set to “IsGlobal”
 o “Operand” is set to “equals”
 o “Value” is set to “True” to indicate that the group account specified in the first row is global and “False” – to indicate that the group account is local. Can also be configured by a template to receive “True” or “False” values indicating global or local group accounts.

 

Other

User/Group account names

 o On Domain Controller Machine
Users and groups are retrieved and should be accessed in the following formats: <USER_NAME>, <GROUP_NAME>.

 o On Non Domain Controller Machine
Local users and groups are retrieved and should be accessed in the format  <USER_NAME>, <GROUP_NAME>.

Global groups and domain users (can be members of a local group on a non domain controller machine) are retrieved and should be accessed in the format <DOMAIN_NAME>\<GLOBAL_GROUP_NAME>, <DOMAIN_NAME>\< USER_NAME>.


Setting user’s password

Remember that user’s password value cannot be retrieved. NT stores this in a manner that cannot be read. If an AssemblyLine copies users from one NT machine to another you will need to set the “Password” attribute value manually.
When adding a user passing the “Password” attribute with no value will result in creating a user with an empty password.
When modifying a user passing the “Password” attribute with no value will result in keeping the old password.


Setting user’s Primary Group / global groups membership

Applies only for domain users (users on the Primary Domain Controller machine). A user should always be a member of his Primary Group. This means that the value set to the “PrimaryGroup” attribute should present in the “GlobalGroups” attribute. However the “PrimaryGroup” attribute can be set with no value when adding a user – then default Primary Group is set to the user (Domain Users).


Operating with groups

There are certain groups that are predefined and “special” for Windows NT. And there are certain operations that are not allowed on these groups. Such operations are: delete, rename and modification of some of their attributes. Any attempt to try illegal operation over any of these groups will result in exception.

Here is the list of these groups, structured by NT installations:

Domain Controller:
    Global groups
        o Domain Admins
        o Domain Users
    Local groups
        o Administrators 
        o Users 
        o Guests 
        o Backup operators 
        o Replicator
        o Account operators 
        o Print operators 
        o Server operators

Non Domain Controller:
    Local groups
        o Administrators 
        o Users 
        o Guests 
        o Backup operators 
        o Replicator
        o Power Users

 

Example

Demo package containing ready to run configurations for each of the ADSI Connector's modes is included here.

Downloads

Included in base product

 
*
  Metamerge Integrator version 4.5 ©Copyright Metamerge AS 2000-2002 Last edited 2002-04-30 contact us