What is the best way to store a reference to an AD group?

Question

I'm writing an intranet application for a client and I want to give them the ability to configure through an admin interface, which users and user groups can access certain areas. What I'd like to know is the best way of storing the reference to the user or group that is assigned to an area of the intranet.

Should I be using the domain\username and domain\groupname strings or should i perhaps be using the fully qualified ad name ie ou=computer room;cn=blah etc?

I will be storing the reference in SQL.

Answer 1

Personally, I believe that the "Domain\Username" format is sufficiently readable.

Also, if you were editing the SQL table directly, you could pretty easily insert a record for a user for testing or debugging purposes.

Answer 2

If you want to be absolutley sure you have the right user / group you could use the SID (security identifier that exist on any object in active directory that can be assigned permissions, and its a GUID)

I am not sure what the context is of the application, but perhaps look at using Active Directory security to stop users from going to place the should not be going, or if it is not a high volume site, some of that could perhaps be done with integrated authentication, and doing the security validation on sql.

I have had frustrations with LDAP query's and AD, as diffrent domain controllers can sometimes give diffrent answers, or not even find the object, or require you to log in before you can query AD.

Answer 3

I would use domain\group in case the group gets moved or deleted/recreated. Using CN is brittle in the face of changes to the OU structure. SIDs are not human readable and will break if the object is deleted/recreated.