Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Update Active Directory from SQL Server? Expand / Collapse
Author
Message
Posted Tuesday, September 22, 2009 8:17 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, September 23, 2010 8:07 AM
Points: 42, Visits: 334
I am aware of how to read Active Directory entries using SQL Server, and use that information to update SQL Server data tables. Is it possible to initiate new entries in Active Directory, or update existing entries in Active Directory, from SQL Server? If so, it would give us a way to correct misspellings, add employees to Active Directory, etc. based on our master employee table in SQL Server.

Thanks,
Randy
Post #791804
Posted Tuesday, September 22, 2009 8:22 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Wednesday, February 8, 2012 11:14 AM
Points: 95, Visits: 123
I have not heard of modifying the Active Directory by using the LDAP connection from SQL Server, I do not think it's possible when using LDAP to issue update commands; that being said, I'm not exactly an expert on that issue. Here is a good article on LDAP and SQL Server.

http://www.codeproject.com/KB/database/SQL_Server_%96_Active_Direc.aspx
Post #791812
Posted Tuesday, September 22, 2009 8:27 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Thursday, May 15, 2014 5:11 PM
Points: 6,067, Visits: 5,283
I'm not aware of any way to do it directly with SQL.

With that said, I do know of a way to do it with CLR (I think).

So if you are not wanting to create a SQLCLR object you might as well stop here..

Ok, you can build a CLR object that uses ADModify on CodePlex at:
http://admodify.codeplex.com/

That assembly is the basis for your work. Using it you should be able to change many if not most of the attributes you want.

Does that answer your question?

CEWII
Post #791820
Posted Tuesday, September 22, 2009 8:30 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, September 23, 2010 8:07 AM
Points: 42, Visits: 334
I am not opposed to using CLR or managed code, although I haven't tried doing so yet. I will investigate what you have referred me to. Thanks!
Post #791824
Posted Tuesday, September 22, 2009 8:33 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Monday, August 18, 2014 8:24 AM
Points: 6,634, Visits: 1,871
Use scripts or custom applications to do this, don't originate it from SQL Server (speaking as both a SQL Server DBA and a former directory services administrator). If you're using scripting, you've got ADSI as an option as well as System.DirectoryServices.Protocols if you're using .NET or PowerShell. Do *not* use System.DirectoryServices:

Joe Richards (Directory Services MVP) on System.DirectoryServices


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #791826
Posted Tuesday, September 22, 2009 9:57 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Thursday, May 15, 2014 5:11 PM
Points: 6,067, Visits: 5,283
K. Brian Kelley (9/22/2009)
Use scripts or custom applications to do this, don't originate it from SQL Server (speaking as both a SQL Server DBA and a former directory services administrator). If you're using scripting, you've got ADSI as an option as well as System.DirectoryServices.Protocols if you're using .NET or PowerShell. Do *not* use System.DirectoryServices:

Joe Richards (Directory Services MVP) on System.DirectoryServices

Mr. Kelley,
What is your objection to doing it from SQL using SQLCLR, or is it just SQLCLR?

CEWII
Post #791940
Posted Tuesday, September 22, 2009 11:12 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Monday, August 18, 2014 8:24 AM
Points: 6,634, Visits: 1,871
Because you're consuming memory and resources intended for the SQL Server process, 1, and 2, it means your SQL Server service account doesn't have to have special privileges within the domain (because that's what it execute in the context of). Also, it means you can put in more extensive error handling, decision trees, etc., in to an application if it queries SQL Server for the information and then makes a determination of what needs to be updated, etc., within the application. Also, by doing so, you're making the solution more portable, meaning you could put it on a utility server and move it around as needed as opposed to installing something custom into SQL Server.

So yeah, several reasons. Also, it's the general idea that this isn't what SQL Server was intended for. SQL Server was intended to service as a database engine, so it's not really the right tool for the job, even though you might extend it some. It was like the idea of using Microsoft Exchange to store files. While it was technically supported, Exchange would never do it as efficiently as a regular file system or a document control system like SharePoint (which is extremely lightweight with respect to feature set in this category but still performs better than Exchange).



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #792012
Posted Tuesday, September 22, 2009 3:22 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Thursday, May 15, 2014 5:11 PM
Points: 6,067, Visits: 5,283
I see your points, but I would say that there are circumstances that negate or mitigate each of your points and whether this particular problem that the poster is posing is one of them, I can't know..

CEWII
Post #792222
Posted Tuesday, September 22, 2009 3:51 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Monday, August 18, 2014 8:24 AM
Points: 6,634, Visits: 1,871
Elliott W (9/22/2009)
I see your points, but I would say that there are circumstances that negate or mitigate each of your points and whether this particular problem that the poster is posing is one of them, I can't know..

CEWII


All right, I'll bite on that. From a security perspective, the Principle of Least Privilege and the idea of Separation of Duties carried to a service account would suggest you don't run such an update from SQL Server. You keep SQL Server running with minimal privileges, especially to update the domain. Because you get control of the server / the SQL Server and you've gotten the domain, or at least elevated credentials on the domain.

The fact of the matter is that unless you're running SBS, you shouldn't be running SQL Server on a DC. And chances are the DCs are locked down tighter than the server where SQL Server is running (for instance, only domain admins can remote desktop into a DC because they're the only ones with domain admin rights). If you were running such a script, you would likely want it on a member server with minimal services running which has a security profile similar to a DC.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #792241
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse