Update Active Directory from SQL Server?

  • I am aware of how to read Active Directory entries using SQL Server, and use that information to update SQL Server data tables. Is it possible to initiate new entries in Active Directory, or update existing entries in Active Directory, from SQL Server? If so, it would give us a way to correct misspellings, add employees to Active Directory, etc. based on our master employee table in SQL Server.

    Thanks,

    Randy

  • I have not heard of modifying the Active Directory by using the LDAP connection from SQL Server, I do not think it's possible when using LDAP to issue update commands; that being said, I'm not exactly an expert on that issue. Here is a good article on LDAP and SQL Server.

    http://www.codeproject.com/KB/database/SQL_Server_%96_Active_Direc.aspx

  • I'm not aware of any way to do it directly with SQL.

    With that said, I do know of a way to do it with CLR (I think).

    So if you are not wanting to create a SQLCLR object you might as well stop here..

    Ok, you can build a CLR object that uses ADModify on CodePlex at:

    http://admodify.codeplex.com/

    That assembly is the basis for your work. Using it you should be able to change many if not most of the attributes you want.

    Does that answer your question?

    CEWII

  • I am not opposed to using CLR or managed code, although I haven't tried doing so yet. I will investigate what you have referred me to. Thanks!

  • Use scripts or custom applications to do this, don't originate it from SQL Server (speaking as both a SQL Server DBA and a former directory services administrator). If you're using scripting, you've got ADSI as an option as well as System.DirectoryServices.Protocols if you're using .NET or PowerShell. Do *not* use System.DirectoryServices:

    Joe Richards (Directory Services MVP) on System.DirectoryServices[/url]

    K. Brian Kelley
    @kbriankelley

  • K. Brian Kelley (9/22/2009)


    Use scripts or custom applications to do this, don't originate it from SQL Server (speaking as both a SQL Server DBA and a former directory services administrator). If you're using scripting, you've got ADSI as an option as well as System.DirectoryServices.Protocols if you're using .NET or PowerShell. Do *not* use System.DirectoryServices:

    Joe Richards (Directory Services MVP) on System.DirectoryServices[/url]

    Mr. Kelley,

    What is your objection to doing it from SQL using SQLCLR, or is it just SQLCLR?

    CEWII

  • Because you're consuming memory and resources intended for the SQL Server process, 1, and 2, it means your SQL Server service account doesn't have to have special privileges within the domain (because that's what it execute in the context of). Also, it means you can put in more extensive error handling, decision trees, etc., in to an application if it queries SQL Server for the information and then makes a determination of what needs to be updated, etc., within the application. Also, by doing so, you're making the solution more portable, meaning you could put it on a utility server and move it around as needed as opposed to installing something custom into SQL Server.

    So yeah, several reasons. Also, it's the general idea that this isn't what SQL Server was intended for. SQL Server was intended to service as a database engine, so it's not really the right tool for the job, even though you might extend it some. It was like the idea of using Microsoft Exchange to store files. While it was technically supported, Exchange would never do it as efficiently as a regular file system or a document control system like SharePoint (which is extremely lightweight with respect to feature set in this category but still performs better than Exchange).

    K. Brian Kelley
    @kbriankelley

  • I see your points, but I would say that there are circumstances that negate or mitigate each of your points and whether this particular problem that the poster is posing is one of them, I can't know..

    CEWII

  • Elliott W (9/22/2009)


    I see your points, but I would say that there are circumstances that negate or mitigate each of your points and whether this particular problem that the poster is posing is one of them, I can't know..

    CEWII

    All right, I'll bite on that. From a security perspective, the Principle of Least Privilege and the idea of Separation of Duties carried to a service account would suggest you don't run such an update from SQL Server. You keep SQL Server running with minimal privileges, especially to update the domain. Because you get control of the server / the SQL Server and you've gotten the domain, or at least elevated credentials on the domain.

    The fact of the matter is that unless you're running SBS, you shouldn't be running SQL Server on a DC. And chances are the DCs are locked down tighter than the server where SQL Server is running (for instance, only domain admins can remote desktop into a DC because they're the only ones with domain admin rights). If you were running such a script, you would likely want it on a member server with minimal services running which has a security profile similar to a DC.

    K. Brian Kelley
    @kbriankelley

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply