retrieve group user membership when offline

  • Thread starter Thread starter slimard
  • Start date Start date
S

slimard

Hello,

I am building an single sign on application that will give access
based on group membership. The application can ran offline or online.
When it is online, I can retrieve the group membership. Will this
work
when the user will be offline. The machines are XP


Thank you
S
 
Hello,

I am building an single sign on application that will give access
based on group membership. The application can ran offline or online.
When it is online, I can retrieve the group membership. Will this
work
when the user will be offline. The machines are XP
Click to expand...

Why not create an object, secure it with group permissions,
and require the user to open that object? (Program objects
exist, you don't have to use a file or registry setting.)

This way you can let the OS worry about caching the users
credentials, group membership etc.
 
Thanks for the reply but I do not understand what you meant. Do you
have a practical example?
 
Thanks for the reply but I do not understand what you meant. Do you
have a practical example?
Click to expand...

You can use a registry entry (for persistence), a file (also persistent),
a Kernel object, etc.

You create an "Object" -- objects have a ACLs (Access Control Lists)
which are you likely familiar with from Files and Shares. But any true
Windows System Object has this also. You give the object (which you
created and therefore own and can change) an ACL that only allows
members of a certain group to access it -- say open it for read (or some
other permission since the key is just to grant/deny access.)

Now when you wish to check the user for membership in that Group (or
Groups) you just attempt to open the object with the required permission
while acting as the user -- success means the user is authorized, failure
means they are not.

You can even use different permissions (for different groups) to grant
different levels of permission.

It is much simpler (in the long run) and MUCH MUCH more accurate
to let the OS calculate the Effective permissions.
 
You can use a registry entry (for persistence), a file (also persistent),
a Kernel object, etc.

You create an "Object" -- objects have a ACLs (Access Control Lists)
which are you likely familiar with from Files and Shares.  But any true
Windows System Object has this also.  You give the object (which you
created and therefore own and can change) an ACL that only allows
members of a certain group to access it -- say open it for read (or some
other permission since the key is just to grant/deny access.)

Now when you wish to check the user for membership in that Group (or
Groups) you just attempt to open the object with the required permission
while acting as the user -- success means the user is authorized, failure
means they are not.

You can even use different permissions (for different groups) to grant
different levels of permission.

It is much simpler (in the long run) and MUCH MUCH more accurate
to let the OS calculate the Effective permissions.





- Show quoted text -
Click to expand...

Thank you for the explanation. Will this work also when the user is
offline (not connected to the network)? Is that information cached in
the user profile?
 
You can use a registry entry (for persistence), a file (also persistent),
a Kernel object, etc.

You create an "Object" -- objects have a ACLs (Access Control Lists)
which are you likely familiar with from Files and Shares. But any true
Windows System Object has this also. You give the object (which you
created and therefore own and can change) an ACL that only allows
members of a certain group to access it -- say open it for read (or some
other permission since the key is just to grant/deny access.)

Now when you wish to check the user for membership in that Group (or
Groups) you just attempt to open the object with the required permission
while acting as the user -- success means the user is authorized, failure
means they are not.

You can even use different permissions (for different groups) to grant
different levels of permission.

It is much simpler (in the long run) and MUCH MUCH more accurate
to let the OS calculate the Effective permissions.





- Show quoted text -
Click to expand...
Thank you for the explanation. Will this work also when the user is
offline (not connected to the network)? Is that information cached in
the user profile?
Click to expand...

Yes, but it isn't cached in the PROFILE but rather when the user logs
onto the computer with "Cached Credentials" -- these credentials only
work locally but they are the Domain name and password, resulting in
the Security Access Token from the Domain.

The Security Access Token includes (fixed*) group membership and
rights assigned to the User account.

*Fixed, meanings those stored in the AD, as opposed to dynamic
group memberships such as Everyone, Network, Authenticated Users,
etc.
 
Yes, but it isn't cached in the PROFILE but rather when the user logs
onto the computer with "Cached Credentials" -- these credentials only
work locally but they are the Domain name and password, resulting in
the Security Access Token from the Domain.

The Security Access Token includes (fixed*) group membership and
rights assigned to the User account.

*Fixed, meanings those stored in the AD, as opposed to dynamic
group memberships such as Everyone, Network, Authenticated Users,
etc.- Hide quoted text -

- Show quoted text -
Click to expand...

Thank you. It is now clear
 
Back
Top