Search code examples
c#.netactive-directoryrolesdirectoryentry

Save custom user roles in Active Directory user properties

Is it possible to save a custom string in an Active Directory user? For example a string that contains a list of user-roles separated with some semicolon? For example a DirectoryEntry contains something like a userRoles that has the value read;write; or something similar?

I'm trying to set and access those information using c#.

Thanks a lot!

Solution

  • You basically have three options for doing this.

    1. If you have Exchange installed in your organization, it will automatically add extensionAttribute1 - 15 in AD, which can be used to store user-defined data.
    2. You can use unused fields, such as physicalDeliveryOffice, to store custom data.
    3. IF (big if) you can convince your network admins of the benefit, you can actually extend the active directory schema to store your own user-defined data.

    In all cases, you would query these fields (eg. using System.DirectoryServices.AccountManagement) to interact with the data. Active Directory isn't meant to be a transactional database though. If you need to store custom data about your users that can be accessed by your applications, you would most likely be better off taking a look at something like ASP.NET Membership and Roles (older but proven tech) or ASP.NET Identity. Since I am more familiar with Membership and Roles I will use it as an example. The authentication (membership) and authorization (roles) aspects are separate, meaning that your users could be authenticated using AD using the built-in provider, but then use a custom role provider implementation that (for example) checked their role membership against a SQL database, web service, XML file, or whatever else you could dream up. You can even check against multiple sources (such as AD groups AND a SQL database), implement caching if performance is an issue, and so-on.

    Active Directory has some drawbacks, such as:

    • Developers usually don't control it, meaning red tape any time you need to extend your application
    • Depending on how your query AD, performance can be extremely poor compared to something like a SQL database
    • Good luck convincing the server folks to restore Active Directory in the event that some error corrupts your custom data
    • There is no guarantee that the new network admin intern won't decide to stick some other, incompatible data in your custom field
    • If you want to update the data in the field from your application, you are going to have to convince your network admins/security folks that your application can do this in a secure manner that does not risk users modifying other, more critical data

    So while it is possible to store custom data in AD, it is often undesirable, labor-intensive, and unsafe.