Two other questions on why it might be “slower”
to enumerate the members of a universal group. Since UGs are kept by GCs, are
your developers doing a query in a site with a GC? Are all of your DCs also
GCs?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Tuesday, October 19, 2004
7:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] groups vs
attributes
I’m not following Rick and Al on the
security factor. Why would using the attribute method be less secure, assuming
we control who can populate the attribute, the same as we control who can add
members to a group? Maybe I’m missing the point though…thanks for
your thoughts guys
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza
Sent: Tuesday, October 19, 2004
10:05 AM
To: ActiveDir List
Subject: Re: [ActiveDir] groups vs
attributes
>From a Dev standpoint using attributes and requiring schema extensions is
undeniably sexier. And you would be extending the schema eventually
– possibly for every application that you deploy. There are only so
many attributes to use for this sort of thing before you start wanting your own
specific one.
>From an administrative standpoint, I’m with Al – only
I’ll go a level further – managing that would become a nightmare,
and every application that gets rolled out would make things even more
convoluted. There are lots of good reasons to populate attributes with
different values, but circumventing AD security probably isn’t one of
them! (The term ‘Recipe for Disaster’ comes to mind)
On 10/19/04 9:36 AM, "Mulnick, Al" <[EMAIL PROTECTED]>
wrote:
Personally,
I think they should have a look at why their queries take longer than they
want. Likely they are checking the memberof attribute to find out what
the group membership is, right?
I think they could use an attribute, but I think
that's not guaranteed to be faster either. I think they also may want to
consider what the administrative and troubleshooting overhead is if they use an
attribute vs. a group membership (why aren't they using Active Directory security
again?).
That's the way I think though :)
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Creamer, Mark
Sent: Tuesday, October 19, 2004
9:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] groups vs
attributes
As our developers (as well as our 3rd party
vendors) continue to create apps that leverage AD, the question comes up
frequently - which is a better solution...to
search AD for a group membership, or for the value of a given attribute, when
validating a user's access to a custom application?
Our "standard" has been to use
universal groups for this sort of thing, that is, UserA can access the
application, if he is a member of the appropriate universal group. However, our
developers have discovered in their ad hoc queries that returning a list of
users that have a given value assigned to a custom attribute is much faster
that returning a list of users that are members of a universal group. So they
are asking, shouldn't we be adding a custom attribute when an application
requires a validation that a user can access
the application, rather than using a group membership?
Any notes from the field would be much appreciated!
Mark Creamer
Systems Engineer
Cintas Corporation
The Service
Professionals
Sent using the Microsoft Entourage 2004 for Mac Test Drive.
