The Windows Users and Groups Connector (in older versions of TDI this was called the NT4 Connector) operates with the Windows NT security database. It deals with Windows users and groups (the two basic entities of the Windows NT security database). This Connector can both read and modify Windows NT security database on the local Windows machine, the Primary Domain Controller machine and the Primary Domain Controller machine of another domain.
This Connector is dependent on a Windows NT API, and only works on the Windows platform.
The Connector is designed to connect to the Windows NT4 and Windows 2000 SAM databases through the Win32 API for Windows NT and Windows 2000/2003 user and group accounts. We can connect to a Windows 2000 SAM database, but the Connector only reads or writes attributes that are backward-compatible with NT4 (in other words, the Windows Users and Groups Connector has a predefined and static attribute map table consisting of NT4 attributes). Windows 2000/2003 native attributes or user-defined attributes are therefore not supported by this Connector.
See Windows Users and Groups Connector functional specifications and software requirements for a full functional specification of the Connector, architecture description as well as hardware and software requirements.
This component is not available in the TDI 7.1 General Purpose Edition.
To successfully run the Windows Users and Groups Connector and obtain all of its functionality, the Connector must be run in a process owned by a user who is a member of the local Administrators group, and have logon privileges to the domain controller and other domains (if accessed). This precondition can be omitted if the UserName and Password parameters of the Connector are set to specify an account with the requirements stated above.
The Windows Users and Groups Connector is designed and implemented to work in the following modes:
This Connector does not support Advanced Link Criteria (see "Advanced link criteria" in IBM TDI V7.1 Users Guide).
The Connector needs the following parameters:
Construct link criteria when using the Windows Users and Groups Connector in Lookup, Update and Delete modes. The Connector supports Link Criteria that uniquely identifies one entry only. The format is strict, and passing a Link Criteria that doesn't match this format results in the following exception:
Unsupported Link Criteria structure.
The following is the Link Criteria structure that must be used, depending on Entry Type:
USER_NAME,GROUP_NAME
USER_NAME,GROUP_NAME
Global groups and domain users (can be members of a local group on a non-domain controller machine) are retrieved and must be accessed in the following format:
DOMAIN_NAME\GLOBAL_GROUP_NAME,DOMAIN_NAME\USER_NAME
When creating a new user with the Windows Users and Groups Connector, if any of the following attributes are omitted or assigned a null value, they are automatically assigned a default value as follows:
Remember that a user password value cannot be retrieved. Windows stores this in a format that cannot be read. If an AssemblyLine copies users from one Windows machine to another, set the Password attribute value manually.
When adding a user, passing the Password attribute with no value results in creating a user with an empty password.
When modifying a user, passing the Password attribute with no value results in retaining the old password.
All Domain Users must be members of their Primary Groups. This means that the value set in the PrimaryGroup attribute must be present in the GlobalGroups attribute. If there is no value for the PrimaryGroup attribute then it will be set to "Domain Users".
There are certain groups that are predefined and special for Windows, and there are certain operations that are not enabled on these groups. Such operations are delete, rename and modification of some of their attributes. Any attempt to try such an invalid operation over any of these groups results in an exception thrown.
Here is the list of these groups, structured by Windows installations:
Domain Controller:
Non-Domain Controller:
Navigate to the root_directory/examples/NT4 directory of the IBM TDI installation.
The Windows Users and Groups Connector implements Windows Users and Groups database access for both user and group management on Windows systems according to Windows definitions and restrictions as outlined below. For additional background information, see Overview of Users and Groups and Managing local and remote Users and Groups.
The Windows Users and Groups Connector reads both user and group information from the Windows Users and Groups repository, including group and user metadata as well as relationship information (for example, users group and groups group membership). The Connector reads both local and domain user or group data. Data is read from Windows, then organized and provided in the containers expected by IBM TDI.
The Windows Users and Groups Connector adds user information to both local machines and domain controllers, and it adds group information to both local machines and domain controllers. When operating with a domain controller, the Connector can create both local and global groups. When operating with a machine that is not a domain controller, the Connector can only create local groups, according to security restrictions set by Windows.
The Windows Users and Groups Connector modifies group membership for both local and global groups. In accordance with Windows NT security restrictions, members can be assigned to groups as follows:
The Windows Users and Groups Connector modifies external and group properties on both local machines and domain controllers. When connected to a domain controller, the Connector is able to modify the properties of both local and global groups.
The Windows Users and Groups Connector can remove users from both local machines and domain controllers, and it can remove local groups from both local machines and domain controllers. When operating with a domain controller, the Connector can remove both local and global groups.