Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Ken Murphy
  Where is Ken Murphy?
 Ken Murphy
 To: Boudewijn Lutgerink
  Where is Boudewijn Lutgerink?
 Hoonaardstraat, Driel
 Boudewijn Lutgerink
Subject: RE: user rights and AD
Thread ID: 112224 Message ID: 112235 # Views: 1 # Ratings: 0
Version: Not Applicable Category: Projects and Design
Date: Monday, November 06, 2006 1:54:20 PM         

> Just curious how others think about this.
> In Active Directory I can quite exact specify what a user can / cannot do on the network.
> I can also use the sys(0) to see who is logged in and on what machine.
> The application I build and maintain is running ALSO (among other scenarios) over a VPN on citrix.
> Can I use the same sys(0) to determine who the user is? My own guess is that this is possible since they need to log in as on any other windhose machine.
> I am not quite familiar with the backgrounds of Citrix other than being a user, hence my Q.
> Then here is the 1000 dollar question: "If I can determine who the user is, and AD sets the rights for that user, then what would be the use of a separate log-in procedure for an application?"
> I can use the username to set up my menu and other rights for that specific user. Or am I missing something here?
> Your much appreciated thoughts on this are most welcome.
> Boudewijn LutgeĀ®ink
> The attitude of "An eye for an eye and a tooth for a tooth" will make this world toothless and blind (Ghandi)


I have not used Citrix, but from what I have read, you should still be able to use SYS(0) or GETENV([UserName]). Lets face it, at some point, you have to tell Windows Server who you are.

As to using your own log-in procedure, you don't need to. When you think about it, the log-in procedure does only one thing. It identifies the user. Once you are past the log-in screen, you never need to look at the password. In other words, GETENV([UserName])/SYS(0) will give you the same information. I haven't used my own log-in procedure since I met Active Directory.

You can take it one step further if you want. You can use the Windows Start menu rather than your own VFP menu. To do this, you need to break your app down into a series of smaller .EXE's. For example, if you were working on an accounting app, you would make the AP module into an EXE, the AR module into an EXE, the Payroll module into an EXE, etc. You would then grant only the payroll dept. user group read/write/execute access to the Payroll.EXE app using AD. Now, only the Payroll Dept. user group would be able to run the payroll portion of the app. When an employee leaves the payroll dept. your sys admin removes that user from the payroll dept user group, and that employee can no longer access the payroll.exe app. When an employee leaves the company, the Sys Admin deletes the user and now that usre cannot gain access to anything - including your app.

The downside of using this concept is increased network traffic. Each time the user accesses the app, the system needs to load the EXE from the server share. On the plus side, because the payroll.exe app is much smaller than would be an Accounting.EXE app, this is not too much of a price to pay. Each app is actually quite tiny.

You shall know the truth - and the truth shall set you free. (John 8:33)


user rights and AD Posted by Boudewijn Lutgerink @ 11/6/2006 1:01:01 PM
RE: user rights and AD Posted by Ken Murphy @ 11/6/2006 1:54:20 PM
RE: user rights and AD Posted by Boudewijn Lutgerink @ 11/6/2006 3:25:37 PM
RE: user rights and AD Posted by Ken Murphy @ 11/6/2006 3:42:02 PM