Active Directory query from C# web app - store permissions in SQL

Question

We have a bespoke c# web app that stores extra information about a physical folder structure. Every folder or file in the company share has a record in sql. We use the web app to search these records. I want to store active directory permissions of the physical paths against the sql records.

1. What is the preferred method of querying AD in c# (.net 3.5)?

2. Do I store the friendly group/user name or the SID?

3. Is the SID unique?

4. Does the SID change if a user moves to another location (differnet OU)?

The idea is that the query can look like this...

SELECT CompanyDoc.Name, CompanyDoc.Path

FROM   CompanyDoc

INNER JOIN Permission ON CompanyDoc.ID = Permissions.CompanyDocID

WHERE CompanyDoc.MetaData = @serach param

AND   Permission.SID IN ( @userSidList )

GROUP BY CompanyDoc.Name, CompanyDoc.Path

Answer 1

I can't answer all of your points but for point 1. try looking at LINQ To AD It is a nice way to talk to Active Directory from C# since you are already in .NET 3.5.

Answer 2

1) You can't query AD to get the permissions on the file. You have to query the filesystem for that. You can get the users and roles by querying AD, though.

2) The SID.

3) Yes, for your AD users it is. For special built-in accounts, they will be shared across systems.

4) No.

By the way, the whole concept of your app kind of scares me. It sounds like you might need to go back to the drawing board.

Answer 3

There's an excellent MSDN Magazine Article available which shows how to query for and manage user and groups in .NET 3.5 Active Directory (the "System.DirectoryServices.AccountManagement" namespace):

Managing Directory Security Principals in the .NET Framework 3.5

That should help you get started.

Marc