check AD membership

  • chandrika5

    SSCrazy

    Points: 2734

    Comments posted to this topic are about the item check AD membership

  • Nicholas Cain

    SSC-Dedicated

    Points: 33009

    I am unable to get this to work.

    I've replaced the with my AD information, however get an error. Having performed ADSI queries before I am not sure how this would return results as there does not appear to be any select performed against the AD itself.

    What am I missing here?



    Shamless self promotion - read my blog http://sirsql.net

  • chandrika5

    SSCrazy

    Points: 2734

    What is the error?

    This is in production for over an year. I've put this up here after several months of being "in production".

  • Nicholas Cain

    SSC-Dedicated

    Points: 33009

    I found the problem, I mistakenly removed the <> around the LDAP details, it works now.

    Thanks, great script, something I have desperately needs for a while.



    Shamless self promotion - read my blog http://sirsql.net

  • chandrika5

    SSCrazy

    Points: 2734

    You are welcome. 🙂

  • NeddyRock

    SSC Veteran

    Points: 262

    Awesome script. I can't thank you enough.

    Ned

  • chandrika5

    SSCrazy

    Points: 2734

    You are welcome.

  • Dave62

    SSCertifiable

    Points: 6468

    You're right to call this a work around. Since you're using ASP and AD, wouldn't it be easier (perhaps a little more sophisticated) to have a common function called when each page loads that checks the groups the authenticated user belongs to. There are a lot of scripts available to return the information directly from server-side code without having to go through all the SQL Server configurations and making the additional database call to check AD. Here's one example:

    Option Explicit

    ' NOTE: Replace YOUR_DOMAIN in the Select statement with the name of your AD Domain

    Dim strGroup 'The AD group being checked

    Dim strMessage

    Dim GroupDN

    Dim oConn, oCmd, oRS

    Dim oGroup, oMember

    strGroup = "AD Group Name"

    Const ADS_SCOPE_SUBTREE = 2

    Set oConn = CreateObject("ADODB.Connection")

    Set oCmd = CreateObject("ADODB.Command")

    oConn.Provider = "ADsDSOObject"

    oConn.Open "Active Directory Provider"

    Set oCmd.ActiveConnection = oConn

    oCmd.Properties("Page Size") = 1000

    oCmd.Properties("Searchscope") = ADS_SCOPE_SUBTREE

    'Return all the members of the group

    oCmd.CommandText = "SELECT distinguishedName FROM 'LDAP://dc=YOUR_DOMAIN,dc=com' WHERE objectCategory = 'group' And CN = '" & strGroup & "'"

    Set oRS = oCmd.Execute

    oRS.MoveFirst

    Do Until oRS.EOF

    GroupDN = oRS.Fields("distinguishedName").Value

    Set oGroup = GetObject("LDAP://" & GroupDN)

    For Each oMember In oGroup.Members

    strMessage = strMessage & oMember.sAMAccountName & chr(13)

    Next

    oRS.MoveNext

    Loop

    msgbox strMessage, vbInformation, "Members of [" & strGroup & "]"

    ' Clean up

    Set oMember = Nothing

    Set oGroup = Nothing

    Set oRS = Nothing

    Set oCmd = Nothing

    Set oConn = Nothing

    This script will display the members of an AD group in a message box. It can easily be modified and put into a common function that checks if the authenticated user belongs to a particular group(s) and return True or False to the calling page.

  • chandrika5

    SSCrazy

    Points: 2734

    I am not sure how many people write new classic ASPs these days. Portability is the key here. I can deploy this SP in several SQL instances, and give developers access to this.: ASP or JSP or PHP etc. The SP is independent of web authoring server side language.

  • Dave62

    SSCertifiable

    Points: 6468

    chandrika5 (2/8/2013)


    I am not sure how many people write new classic ASPs these days. Portability is the key here. I can deploy this SP in several SQL instances, and give developers access to this.: ASP or JSP or PHP etc. The SP is independent of web authoring server side language.

    Good points but it will most likely depend on where the solution is needed. I gave classic ASP code because that was mentioned in your article. A similar function can easily be ported to .NET where it can be used by many languages. Having this simple function in the front-end means it will work with a variety of back-end databases (SQL Server, MySQL, Postgre, Oracle, ...) as well as all the .NET front-end languages.

    Putting all the effort needed to make it work in an SP means it can work with a few other languages that are not .NET but will not work with any other databases.

    So I guess either approach can be fine depending on the environment.

    Enjoy!

  • John Mitchell-245523

    SSC Guru

    Points: 148453

    Or you can use xp_logininfo. No linked servers, no loops, no "foreign" languages.

    John

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic. Login to reply