Not very sophisticated but works well to incorporate in applications. There was a situation where I had to grant access to certain ASP pages based onuser's AD group membership: direct or nested. This SP works as good work around.
-- Create a linked server to ADSI and a login to the linked server.
-- AD service account will have minimum rights over the domail: read only.
-- Generally all accounts have read rights on AD.
-- Add ADSI as linked server using sp_alllinkedserver and sp_addlinkedserverlogin
-- OR use SQL-EM to add ADSI as linked server and the login.
-- sp_addlinkedserver 'ADSI', 'Active Directory Service Interfaces', 'ADSDSOObject', 'adsdatasource'
-- EXEC sp_addlinkedsrvlogin 'ADSI', 'false'
-- Usage <EXEC inADgroup ADgroup, userAccount>
-- Returns the user name if the userAccount is a direct or nested
-- member of the ADgroup.
create procedure [dbo].[inADgroup](@adgp char(200) , @uid char(20))
as
SET NOCOUNT ON
declare @SQL nvarchar(4000) , @gpDN char(200)
declare @min int, @max int, @cnt int
-- Hold the groupDN and its nested group DNs in a temp table
CREATE TABLE #tmpCHKad( gpDN char(200) , id INT IDENTITY (1, 1) NOT NULL )
SELECT @cnt=0
-- Write in the input group DN to temp table
SET
@SQL='<LDAP://AD Domain>;(sAMAccountName=' + ltrim(rtrim(@adgp)) + ');distinguishedName;subtree'
SET @SQL= 'INSERT INTO #tmpCHKad SELECT * FROM OpenQuery(ADSI,''' + @SQL + ''')'
EXEC sp_executesql @SQL
SELECT @min=1
-- Write in the 1st level
SELECT @gpDN = gpDN FROM #tmpCHKad
SET
@SQL='<LDAP://AD Domain>;(&(ObjectCategory=group)(memberOf=' + ltrim(rtrim(@gpDN)) + '));distinguishedName;subtree'
SET @SQL='INSERT INTO #tmpCHKad SELECT * FROM OpenQuery(ADSI,''' + @SQL + ''')'
EXEC sp_executesql @SQL
SELECT @max = @@IDENTITY
-- Write in 2nd level +
WHILE (@max > @min )
BEGIN
DECLARE gp_curs CURSOR FOR
SELECT gpDN FROM #tmpCHKad WHERE id >@min and id <=@max
OPEN gp_curs
FETCH NEXT FROM gp_curs INTO @gpDN
WHILE (@@FETCH_STATUS=0)
BEGIN
SET
@SQL='<LDAP://AD Domain>;(&(ObjectCategory=group)(memberOf=' + ltrim(rtrim(@gpDN)) + '));distinguishedName;subtree'
SET @SQL='INSERT INTO #tmpCHKad SELECT * FROM OpenQuery(ADSI,''' + @SQL + ''')'
EXEC sp_executesql @SQL
FETCH NEXT FROM gp_curs INTO @gpDN
END
SELECT @min=@max
SELECT @max = @@IDENTITY
CLOSE gp_curs
DEALLOCATE gp_curs
END
-- Now that we have all the group DNs in the table, check if the input uid is a member of any of the group
-- Write in uid fiull name in a temp table: calling this from Apps will return the records.
-- ADSI behaves differently from SQL querry analyzer and any apps.
CREATE TABLE #tmpCHKad2( uname char(100) )
-- Loop thru 1st temp table and build 2nd temp table
DECLARE chkgp_curs CURSOR FOR
SELECT gpDN from #tmpCHKad
OPEN chkgp_curs
FETCH NEXT FROM chkgp_curs INTO @gpDN
WHILE (@@FETCH_STATUS=0)
BEGIN
SET
@SQL='<LDAP://AD Domain>;(&(ObjectCategory=user)(sAMAccountName='+ltrim(rtrim(@uid)) + ')(memberOf=' + ltrim(rtrim(@gpDN)) + '));name;subtree'
SET @SQL='INSERT INTO #tmpCHKad2 SELECT name FROM OpenQuery(ADSI,''' + @SQL + ''')'
EXEC sp_executesql @SQL
SELECT @cnt=@@ROWCOUNT
IF (@CNT > 0)
BREAK
FETCH NEXT FROM chkgp_curs INTO @gpDN
END
CLOSE chkgp_curs
DEALLOCATE chkgp_curs
-- Select from 2nd temp table
SELECT uname FROM #tmpCHKad2 
Sometimes you have to pull more than 50,000 records. A script to do that inside the 1000 record limit.
2014-11-13
7,756 reads
One of the challenges when considering migrating your on-premises SQL Server databases to Azure SQL Database is its lack of support for Active Directory-integrated authentication. With the advent of Azure SQL Database V12, the authentication capabilities have been expanded, allowing for more flexibility that leverages Azure Active Directory. In this article, Marcin Policht provides an overview of this functionality.
2016-10-10
3,995 reads
With AD Authentication via groups, SQL Server is vulnerable to orphaned Windows users' logins being added to SQL Server at a later date. This article gives an improved user audit script that detects orphaned DB Users and also a delete script.
2016-07-18
2,884 reads
In a previous article, we discussed how to liberate the DBA from SQL Logins with AD Groups. A good point was raised: How can the DBA know who has what access? Here is a solution.
2018-08-03 (first published: 2016-02-18)
11,741 reads
The Azure Active Directory Graph API enables some interesting scenarios that you can implement in your applications by enabling you to query and manipulate directory objects in Azure AD. In this article, Rick Rainey provides a clear walkthrough of its implementation.
2015-04-03
6,836 reads