Udostępnij za pośrednictwem


Create Proxy user in ADAM/AD LDS programmatically

A proxy object is an object in ADAM that represents a security principal in Active Directory. Each proxy object in ADAM contains the SID of a user in Active Directory. Proxy objects (and proxy object classes) do not exist by default in ADAM. However, you can import a proxy object class into the ADAM schema during ADAM installation. A proxy object can be created from any object class that contains the msDS-bindProxy auxiliary class. The msds-BindProxy class possesses a single "must contain" attribute, ObjectSid, which holds the SID of the associated Active Directory security principal. You can set the value of ObjectSid only at the time that the object is created. After a proxy object is created, the value of its ObjectSid attribute cannot be modified. You can set the ObjectSid of a proxy object to the SID of any local Windows user or to any user who is a member of a domain or forest that is trusted by the computer on which ADAM is running.

Here are the steps to create proxy user "CN=ProxyUser" for a domain user "testuser" using Vb.net code.

Step1. Create Domain User object:

            Dim adUser As DirectoryEntry

      adUser = New DirectoryEntry("LDAP://CN=testuser,CN=Users,DC=mydomain,DC=com")

Step2. Create ADAM container object:

            Dim rootADAM As DirectoryEntry

            rootADAM = New DirectoryEntry("LDAP://WIN-H7C23TQC12L:50000/CN=partition1,DC=myadam,DC=com")

            Here WIN-H7C23TQC12L is the ADAM machine, 50000 is the port configured for ADAM bind.

Step3. Create Proxy user object:

            Dim proxyUser As DirectoryEntry

            proxyUser = rootADAM.Children.Add("CN=ProxyUser", "userProxy")

Step4. Set some properties for the proxy user object:

   proxyUser.Properties("displayName").Value = "ProxyUser"

            proxyUser.Properties("userPrincipalName").Value = "ProxyUser@adamtest.com"

Step5. Get the ObjectSID of the domain user and convert it into SDDL format (i.e. "s-1-5-...").

   Dim sidBytes As Byte() = CType(adUser.Properties("ObjectSID").Value, Byte())

   Dim SI As System.Security.Principal.SecurityIdentifier = New Security.Principal.SecurityIdentifier(sidBytes, 0)

  

Step6. Set ObjectSID of the proxy user with the SID of the Domain user:

   proxyUser.Properties("objectsid").Value = SI.ToString

Step7. Commit changes to the ADAM to create the proxy user "CN=ProxyUser"

            proxyUser.CommitChanges()

 

Note that you cannot create a proxy object for a domain user in an ADAM directory partition that already contains a foreign principal object (FPO) for that same domain user.

technet.microsoft.com/en-us/library/cc755705(WS.10).aspx

Comments

  • Anonymous
    September 05, 2010
    This is a good idea, but quite incomplete. I cannot understand how to connect to ADAM to crate the proxy bind user without providing credentials. It also does not explain how to connect to ADAM after user creation. Hope you can help, and complete the example. Thanks

  • Anonymous
    August 19, 2011
    The article is not incomplete. The things you are asking for is stuff you already should be familiar with if you at all need to create proxy-accounts in adam.

  • Anonymous
    May 17, 2012
    The only attributes that are needed to successfully create a 'userProxyFull' are 'CN' and 'objectSid'. After setting those attributes call commitchanges(). Then you can safely set other attribtues. That seems to work 100% of the time. There are certain sets of attributes that can't be set initially for different object types with ADSI...which is what S.DS surfaces. It's the same for ADDS object types. BTW this is one of maybe 2 articles on the entire internet with this code listing...'userProxyFull' specific. Cheers.