Re: retrieve group user membership when offline by slimard
slimard
Mon Apr 28 07:46:49 PDT 2008
On Apr 26, 6:51=A0am, "Herb Martin" <n...@learnquick.com> wrote:
> <slim...@gmail.com> wrote in message
>
> news:494e66de-97e3-4b23-b177-4445c091baed@x41g2000hsb.googlegroups.com...
> On Apr 23, 8:19 pm, "Herb Martin" <n...@learnquick.com> wrote:
>
>
>
>
>
> > <slim...@gmail.com> wrote in message
>
> >news:8dc8448b-8d70-4eef-97f8-0a6c9fa76b83@f36g2000hsa.googlegroups.com...=
>
> > > Thanks for the reply but I do not understand what you meant. Do you
> > > have a practical example?
>
> > You can use a registry entry (for persistence), a file (also persistent)=
,
> > a Kernel object, etc.
>
> > You create an "Object" -- objects have a ACLs (Access Control Lists)
> > which are you likely familiar with from Files and Shares. But any true
> > Windows System Object has this also. You give the object (which you
> > created and therefore own and can change) an ACL that only allows
> > members of a certain group to access it -- say open it for read (or some=
> > other permission since the key is just to grant/deny access.)
>
> > Now when you wish to check the user for membership in that Group (or
> > Groups) you just attempt to open the object with the required permission=
> > while acting as the user -- success means the user is authorized, failur=
e
> > means they are not.
>
> > You can even use different permissions (for different groups) to grant
> > different levels of permission.
>
> > It is much simpler (in the long run) and MUCH MUCH more accurate
> > to let the OS calculate the Effective permissions.
>
> > On Apr 23, 12:00 am, "Herb Martin" <n...@learnquick.com> wrote:
>
> > > <slim...@gmail.com> wrote in message
>
> > >news:31632781-f17f-486b-b328-f328b12527a3@k37g2000hsf.googlegroups.com.=
..
>
> > > > Hello,
>
> > > > I am building an single sign on application that will give access
> > > > based on group membership. The application can ran offline or online=
.
> > > > When it is online, I can retrieve the group membership. Will this
> > > > work
> > > > when the user will be offline. The machines are XP
>
> > > Why not create an object, secure it with group permissions,
> > > and require the user to open that object? (Program objects
> > > exist, you don't have to use a file or registry setting.)
>
> > > This way you can let the OS worry about caching the users
> > > credentials, group membership etc.- Hide quoted text -
>
> > - Show quoted text -
> > Thank you for the explanation. Will this work also when the user is
> > offline (not connected to the network)? Is that information cached in
> > the user profile?
>
> Yes, but it isn't cached in the PROFILE but rather when the user logs
> onto the computer with "Cached Credentials" -- these credentials only
> work locally but they are the Domain name and password, resulting in
> the Security Access Token from the Domain.
>
> The Security Access Token includes (fixed*) group membership and
> rights assigned to the User account.
>
> *Fixed, meanings those stored in the AD, as opposed to dynamic
> group memberships such as Everyone, Network, Authenticated Users,
> etc.- Hide quoted text -
>
> - Show quoted text -
Thank you. It is now clear