Create Proxy user in ADAM/AD LDS programmatically

  • Article

A proxy object is an object in ADAM that represents a security principal in Active Directory. Each proxy object in ADAM contains the SID of a user in Active Directory. Proxy objects (and proxy object classes) do not exist by default in ADAM. However, you can import a proxy object class into the ADAM schema during ADAM installation. A proxy object can be created from any object class that contains the msDS-bindProxy auxiliary class. The msds-BindProxy class possesses a single "must contain" attribute, ObjectSid, which holds the SID of the associated Active Directory security principal. You can set the value of ObjectSid only at the time that the object is created. After a proxy object is created, the value of its ObjectSid attribute cannot be modified. You can set the ObjectSid of a proxy object to the SID of any local Windows user or to any user who is a member of a domain or forest that is trusted by the computer on which ADAM is running.

Here are the steps to create proxy user "CN=ProxyUser" for a domain user "testuser" using Vb.net code.

Step1. Create Domain User object:

            Dim adUser As DirectoryEntry

      adUser = New DirectoryEntry("LDAP://CN=testuser,CN=Users,DC=mydomain,DC=com")

Step2. Create ADAM container object:

            Dim rootADAM As DirectoryEntry

            rootADAM = New DirectoryEntry("LDAP://WIN-H7C23TQC12L:50000/CN=partition1,DC=myadam,DC=com")

            Here WIN-H7C23TQC12L is the ADAM machine, 50000 is the port configured for ADAM bind.

Step3. Create Proxy user object:

            Dim proxyUser As DirectoryEntry

            proxyUser = rootADAM.Children.Add("CN=ProxyUser", "userProxy")

Step4. Set some properties for the proxy user object:

   proxyUser.Properties("displayName").Value = "ProxyUser"

            proxyUser.Properties("userPrincipalName").Value = "ProxyUser@adamtest.com"

Step5. Get the ObjectSID of the domain user and convert it into SDDL format (i.e. "s-1-5-...").

   Dim sidBytes As Byte() = CType(adUser.Properties("ObjectSID").Value, Byte())

   Dim SI As System.Security.Principal.SecurityIdentifier = New Security.Principal.SecurityIdentifier(sidBytes, 0)

  

Step6. Set ObjectSID of the proxy user with the SID of the Domain user:

   proxyUser.Properties("objectsid").Value = SI.ToString

Step7. Commit changes to the ADAM to create the proxy user "CN=ProxyUser"

            proxyUser.CommitChanges()

 

Note that you cannot create a proxy object for a domain user in an ADAM directory partition that already contains a foreign principal object (FPO) for that same domain user.

technet.microsoft.com/en-us/library/cc755705(WS.10).aspx