Last post Mar 23, 2012 01:50 PM by gww
Mar 22, 2012 11:48 AM|mburns_08109|LINK
I have a small issue and I’m seeking some advice on the best course to take here…
I have an MS Access database application, it is running as a Front-end/Back-end split application in Windows AD Domain environment for a US state governmental agency, so the AD forest is rather large, and queries on the Active Directory for the domain somewhat
expensive, time-wise. Some of the application’s internal security is regulated by means of AD Group membership. Hence, for a user, not only are there lookups on the domain needed for AD group membership, but quite possibly multiple lookups.
I could conceivably reorganize the way we’re doing this and create a SQL Server database cache of some of the AD group data as the SQL Server queries may run faster than the AD queries in this large of an environment. However, I’m not at all commited to
this course of action. Perhaps the previous developers who created this AD query code in VBA we’re using merely used a less efficient/less-optimal means of querying the directory…? I don't know and I haven't had to touch any LDAP or directory queries since
my days long past of doing Admin stuff on a Novell 3.x/4.x LAN...
Here are some of the key lines of VBA code to show what’s at the heart of our current method:
Call status_show("Checking group membership for " & accessGroupName)
Set objGroup = GetObject("WinNT://" & domainName & "/" & adGroupName & ",group")
isMember = objGroup.isMember("WinNT://" & domainName & "/" & userName)
If you have any pointers or reference you can point me to for this type of situation, I’d be most appreciative. I’m sure I’m not the first to have an issue like this...
Mar 22, 2012 07:46 PM|rojay12|LINK
it looks like whomever wrote it was going about it the right way.
I know how to do this from .Net but access
Mar 22, 2012 09:05 PM|gww|LINK
What are you trying to do? Is that code suposed to check each user to see if they are a member of the group?
Mar 23, 2012 11:38 AM|mburns_08109|LINK
Yes - the code is currently written to repetitively call that code snippet (and some other stuff, of course) to query the active directory and to basically inquire "is _this user_ a part of _this AD group_?" several times - in order to determine certain
application security configuration options.
i.e. an App "Power User" from an "App Admin" from a "Inquiry User" etc.,. there are multiple special categories as well - each with some possibly variable level of permissions to parts of the application and database. However, as I indicated, this method
of querying the directory seems to be rather expensive, time-wise, and I was hoping to find out if there wasn't a better-performing option available.
The Active Directory being interrogated is for a state government network, and the AD structure and forest is large and complex with multiple levels of depth, and WAN links and all the imaginable complexity one could guess might be involved. TONS of organizations
and organizational levels are included...way too many to want to enumerate, which is what I think this query is basically doing.
Mar 23, 2012 01:50 PM|gww|LINK
How often does it run that query? If you need to step through each individual user and run this check, it will take a long time. It might be helpful to know when this check is done and why. The application would probably work better if it only checked the
user who was accessing the application instead of checking everyone at once, if that is how its working.
Or at least make the call only once when they first access the application and set variables for the entire application.