我正在开发用于管理用户信息，并将数据保存在SQL Server的应用程序。我想'莫名其妙'连接这个应用程序与我们的活动目录，所以所有的变化这个程序将使将反映在Active Directory太（如果我们添加一个新用户的应用程序，它也将被添加在Active目录）

I'm developing an application that manages information about users and save the data in a SQL Server. I would like to 'somehow' connect this application with our Active Directory, so all the changes this app will make will be reflected in the Active Directory too (if we add a new user in the app, it will be added also in the Active Directory)

这可能吗？如果是这样，这是我的选择吗？

Is it possible? if so, which are my options?

在此先感谢

推荐答案

不要这么做。让AD是你的用户群的权威副本，让用户的总是的在公元第一个创建，然后传播到SQL。通过让用户通过不同的路径（SQL第一），加入你打开一个巨大的蠕虫可以在安全方面。如果用户在SQL中，但不是在AD中定义，究竟是taht用户？他怎么可以登录？为了难道他属于哪个群体？他是允许访问或没有到这个资源或资源？如何当一个用户被添加在AD的和的SQL中具有不同的特点，然后你需要协调。例

Don't do it. Let AD be the authoritative copy of your user base, and let the users always be created in AD first and then propagate to SQL. By letting users be added through a different path (SQL first) you open a huge can of worms with regard to security. If a user is defined in SQL but not in AD, what exactly is taht user? How can he log in? To what groups does he belong? IS he allowed access or not to this resource or that resource? How about cases when an user is added in AD and in SQL with different characteristics and then you need to reconcile.

修改您的应用程序做的总是的AD中创建用户，在符合的广告政策和安全要求（密码的复杂性是最简单的例子）。然后让与SQL AD同步。

Modify your application do always create the user in AD, in conformance with the AD policies and security requirements (password complexity being the most trivial example). Then let AD synchronize with SQL.