windows AD user authentication
Hi all,
for a project I must accomplish the following:
I must be able to find out if a domain user can logon remotely (RDP) on a given system that I know the IP and DNS name of. So I have to authenticate the user against the given system that is controlled by the domain, or against the SAM database if the system is not controlled by the domain (for instance a member server) ?
Is there a way to accomplish this?
Any help or ideas would be enormously appreciated.
It's not clear what your question is.
Do you want to find out whether a user's credentials are valid ?
Or do you want to find out whether a user has been configured to use Terminal Services ?
Note that if the server is a member server, it is by definition a member of a domain and is always capable of authenticating users against AD as well as the local account store (SAM). It is only stand-alone servers that authenticate credentials against their local store (Not entirely true, but for the purpose of this discussion...)
First of all, sorry for the unclear question (still improving my english :) ).
Actually there are two scenario's.
First scenario: remote machine is a domain member
Now I must validate the user's credentials against the AD, this isn't a problem, I've read your posts :) . And I have to be able to find out whether the user has been configured to use Terminal Services (whether he is a member of the "Remote Desktop Users" group on that particular machine).
Second scenario: remote machine is not in a domain
Actually I need to perform the same two steps from above. But is it possible to validate a user against the SAM from Java? And is it possible to find out if the user is a member of the local group "Remote Desktop Users"?
Thank you for the help.
OK, The first scenario, seems like you've solved the problem of verifying user's credentials.
Next problem is enumerating membership of the "Remote Desktop Users" group.
This could be interesting depending on how the groups have been configured in your organisation.
First of all there is a group called "Remote Desktop Users" that exists in the built-in container in the Active Directory domain. If a user is a member of this group, you could determine this from either examining the group's members attribute, or looking at a user's tokenGroups attribute and seeing if the Security Identifier (SID) for the Remote Desktop Users group is present.
Primarily this group is used to determine whether a user can create a remote desktop connection to a domain controller.
However on all member servers (and for that matter even client workstations) there is a local group also called "Remote Desktop Users", which is used to determine whether a user can create a remote desktop connection to the server/workstation. Because this is a local group, it exists in the local machine's Security Accounts Manager (SAM) which is accessed programmatically via the NTLM protocols (Win32 Net API's).
I don't think there is a native JNDI Name Service provider for NTLM (I could always be wrong !), so you will have to use either JCIFS or one of the Java/COM interop solutions to access SAM via NTLM. I have not used any of these so cannot provide any further useful advice.
For your second scenario, the above holds true. You would have to use a Java/Com interop or JCIFS solution to verify user's credentials on local machines.
Here's where it may get interesting. A member server's "Remote Desktop Users" group may contain users or groups from the Active Directory Domain. For example the Active Directory "Remote Desktop Users" group may contain specific users or another group, perhaps a built-in group such as "Authenticated Users".
And the Active Directory domain "Remote Desktop Users" group could be a member of a local machine's "Remote Desktop Users" group.
So your application may have to be able to recurse group memberships and resolve nested groups. A poorly written program could have a major performance impact, so beware !
The obvious question, is "Why do you need to do this ?" "What problem are you trying to solve ?"
