Directory Programming .NET

Active Directory and ADAM programming support for .NET developers
Welcome to Directory Programming .NET Sign in | Join | Help
in Search
Home Forums Files Roller
Directory Programming .NET » General Discussions » Active Directory/ADAM LDAP Dis... » Re: Trusted users in a Domain Local group

Trusted users in a Domain Local group

Last post 02-16-2009, 8:32 AM by joe. 3 replies.
Sort Posts: Previous Next

  •  02-15-2009, 1:04 PM 5832

    Trusted users in a Domain Local group

    Hi,

    In a domain local group there are local users and trusted users from another domains as members. Looping through the group all the information I get from the trusted users is the DN and  from that I can get the SID for that user. My problem is that I don't know the trusted users domain. We have trust with severall domains. So I want to know is there something I have missed?? some property to get the information which is the trusted users domain????

    Thanks in advance

    Maria

     

     

  •  02-15-2009, 3:35 PM 5833 in reply to 5832

    Re: Trusted users in a Domain Local group

    It sounds like you are talking about a Foreign Security Principal (FSP).  If the DN is in a format that includes the SID value, you actually have an FSP.  In order to resolve it back to the end user, you will need to find that FSP object in the 'Foreign Security Principals' container and read back the SID value on the object.

    Once you have the SID value, you can do a couple things:

    1. Try using something like DsCrackNames to resolve the SID for you into the real DN for the object and determine the domain that way.
    2. Try binding using SID binding syntax (e.g. LDAP://<SID=....>) and see if that resolves for you (might not without domain hint).
    3. Search a global catalog server for the SID value and pull the DN from the GC.  This might end up being the best option as you said they are from the same forest, just different domain, right?
    Ryan Dunn
    Extemporaneous Mumblings
    The .NET Developer's Guide to Directory Services Programming

  •  02-16-2009, 2:45 AM 5835 in reply to 5833

    Re: Trusted users in a Domain Local group

    Hi,

    Thanks for your answer.

    The domains are mot in the same forest(Answer to  number 3).

    I will try DsCrackNames,  do you  have some more info about how I will do this :-)

    Regards,

    Maria

  •  02-16-2009, 8:32 AM 5838 in reply to 5835

    Re: Trusted users in a Domain Local group

    Ryan has a wrapper for it in the complete samples from the book, although there are better versions that can be dug up on CodePlex these days.

    As long as the trust path exists on your machine, you should be able to use the Translate method on the SecurityIdentifier class to convert to an NT account.  That is supposed to work across trusts.

    You can either parse out the SID of the foreign user from the DN value stored in the group membership or you can open that object, read its objectSid attribute and then use that to build the SecurityIdentifier class.  This might be a little easier than using DsCrackNames.
View as RSS news feed in XML
© Dunn & Kaplan, 2011