Clever Geek Handbook

ASP.NET User Authentication in Active Directory: Who Manages Users and Groups?

The project I am working on needs to authenticate users again with AD. I've never worked with AD before, nor have I worked in organizations that use AD, so here's my stupid question: in case AD is involved, who manages the roles, groups, and users for the application? Can I provide a site admin UI for assigning AD users to my application roles, or should AD admins take care of creating the appropriate groups expected by my application and assign existing AD users there?

What are the best practices in this department?

Once the remark is not a native application, so it should work with existing AD. The question is, if I expect roles such as Teacher and Student (just to illustrate this point), can I expect IT to create appropriate groups in AD and assign users to them?

0


source to share


3 answers


I don't think you should provide a Gui for the active directory. Most organizations that use an active directory manage it using the standard active directory tools.

If you want to handle small shops. Then make the groups internal to the application database. You will still be able to use Active Directory users. But group management and membership will be internal to your application. This will avoid most of the problems associated with complex active directory rules and still use one character.



One more note. Group names should be customizable. Most places have a naming convention for group names.

+1


source


It really depends on who owns AD and who will be in charge of managing user accounts. If this AD is isolated from your domain name, and you want your support or sales, or another business person to manage the accounts, by all means create an administration tool for them.

If you are trying to associate yourself with an existing AD, then you should work closely with your IT department, they will probably want to create accounts in their own way (especially if you are using your existing credentials).

Basically, it comes down to how your IT works, and what exactly is the relationship between AD and your AD that is running the site.



Edited

Based on the additional information, I think you need to suggest an admin console. Especially if you want to target small stores. Your solution should make this optional, so if they want to use the admin UI, they can, but if the IT department wants to use Powershell, for example, they can.

0


source


If you are writing this application for another company, I think you might assume that they will be responsible for managing AD users and groups. You just need to agree with clients which roles / groups your application will use.

0


source






More articles:


All Articles