Using ASP to Update Active Directory

Topic

New Reply

Hi,

I’ve been developing an Active Server Page to update User information in Active Directory. The purpose of these pages will be that users will be able to populate and update their details in their Exchange Properties with the relevant information, phone number, fax number, address etc. via their web browser.

I received an access denied error, which turns out to be that users don’t have write access to change their own details. On the test user security i changed SELF to have write access and that allowed the user to update their details.

Unfortuantely i don’t have any real knowledge of Active Directory so i don’t know what the security implications of this are. Would this be the correct solution? the other problem is there are thousands of users so changing every one of their security settings would be tedious. Is there a quick secure way of giving them these rights? for instance creating a group, delegating permissions and then making the users a member of this group? or perhaps writing some sort of script? If so what permissions should be delegated to allow them access but still maintaining the security? The web page will force them to log on and then uses LDAP, so the page wont allow them to change other users details unless they know someone else’s login. The pages are sitting on the exchange server.

Thanks for any advice in advance.

Reply | Quote

Replies

A couple of options are to (1) create a domain group with proper permissions to update the AD, and assign all users membership in that group (2) create a fictional single user with proper permissions to update the AD, and pass that fictional user’s creditials as you use LDAP.

The problem with 2, of course, is that the user credentials are hard coded and a potential security risk. The problem with 1 is that it may be more expansive than your network admin is comfortable with, and we all want happy network admins! The trade off here is less administrative work for tech support staff vs. a potential loss of some security.

What if, and don’t all cockamamie ideas start like that?!, you had an Exchange form with text boxes corresponding to the fields you want users to be able to update. The user fills out the form, and routing takes it to a tech with proper permissions to update the AD. The tech reviews the request, presses a button, and the AD is automagically updated with the data in the Exchange form using the tech’s credentials. This might be a happy medium where the user can kind of set their own info, a level of security and control over what’s in the AD is maintained, and tech time is kept to a minimum.

At any rate, I’d encourage you to sit down with your network admin, explain what you’re trying to do, and explore options together. Best of luck!

Reply | Quote

Shane,

Thanks for taking the time to reply. Your option one was the one I had already tried so i know that works and would probably be the preferred option. However as you point out there is a trade of, if the group SELF is assigned write access then i assume they have delegated write access to everyone in their container. In theory that would be OK, in that the ASP page will only allow them to change their own details, but if someone knew what they were doing and used something like ADSI Edit then i guess it is a risk albeit minimal.

Your last point is a good idea, its just that we have 6000 users to the purpose of the ASP pages was to prevent one person dealing with 6000 users details.

What would be ideal would be if there was some quick way to update the GLOBAL settings for the group SELF. When you look in the security tab and select the group self it has been set-up with read permissions. If there was one quick way to give it write access for every user that would be better, because then i assume every user would be able to change their own details but no one else’s. Again though wouldn’t be much fun trawling through 6000 users changing this setting.

Oh and my email is on the way to tech support to discuss 🙂

thanks again.
George

Reply | Quote