RE: [ActiveDir] groups vs attributes

[Mulnick, Al]

Title: groups vs attributes

Personally, I think they should have a look at why their queries take longer than they want.  Likely they are checking the memberof attribute to find out what the group membership is, right?

 

I think they could use an attribute, but I think that's not guaranteed to be faster either.  I think they also may want to consider what the administrative and troubleshooting overhead is if they use an attribute vs. a group membership (why aren't they using Active Directory security again?).

 

That's the way I think though :)

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Tuesday, October 19, 2004 9:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] groups vs attributes

As our developers (as well as our 3^rd party vendors) continue to create apps that leverage AD, the question comes up frequently - which is a better solution...to search AD for a group membership, or for the value of a given attribute, when validating a user's access to a custom application?

Our "standard" has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldn't we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership?

Any notes from the field would be much appreciated!

Mark Creamer

Systems Engineer

Cintas Corporation

The Service Professionals