Hi
I am performing user authentication using WINNT and LDAP provider by using following sequence:
1. Get WINNT path of local system Administrators group.
2. Check whether the logged-on user (domain\local) in member of Administrator groups or any nested group.
3. For domain user, i do following steps:
1. I get the default DN path for the domain using ADsGetObject passing rootDSE parameter API.
2. Get the LDAP path logged-on user using dsquery filter.
3. Make a dsquery filter string using group name in case of group and then do further searching on that and from there I get distinguished name and then makes LDAP path of group with that.
4. Using group LDAP path , I do recursive searching for logged-on user by matching GUID of user with logged on and return true in case it matches.
This is the general work-flow of my code. As I am new to this Active Directory, I have some problems in client configuration. For normal cases when we have one domain my code is working properly. But for case in client environment, it is not giving proper
out-put and I am not able to figure out the issue. the sample out-put of client configuration is mentioned below:
UserLogon Name : MS-ROOT\user1
Logged On user Path : LDAP://CN=user1,OU=Server_Admins,OU=Support_Accounts,DC=ab,DC=com
1st Members Path: WinNT://ABAD/Domain Admins
Under this Domain Admins group my code is properly traversing all members properly.
LDAP path: CN=Domain Admins,CN=Users,DC=ab,DC=com
2nd Members Path: WinNT://ABAD/WinOps-Server-L3
the logged-on user belongs to this
WinOps-Server-L3 group but unfortunately my code is returing zero members for thisgroup.
LDAP path -not found in my code
3rd Members Path: WinNT://MS-ROOT/HIPGM_SrvAdmin
My code is able to traverse properly through this group(HIPGM_SrvAdmin )
LDAP Path :DN path grp filter: CN=HIPGM_SrvAdmin,OU=Support_Accounts,DC=ab,DC=com
Now my queries are:
1. As from LDAP path we can canclude that domain name is ab.com
but in our logging we find that there are two different domains associated with WINNT path of group object : MS-ROOTand ABAD. I am not able to get what these names actually are and what is the difference between in ab.com and these names(MS-ROOT and ABAD).
2. for 1st Members Path as shown above where domain name, if I am correct, is ABAD , my code is able to traverse but for 2nd Members Path as shown above my code is not able to traverse instead of it having same ABAD domain name.
3. for 3rd Members Path where domain is MS-ROOT , my code is able to traverse properly. why? is it because of current logged-on user is having same domain MS-ROOT?
4. why we are seeing two differnent domain name ABAD and
MS-ROOT under same domain ab.com?
Please guide me about these things and let me know where am I wrong. May be my understanding is not correct as I am new to AD. So please help me out with correct understanding.
Thanks and Regards
Rahul Pathak