Here is the situation. I am working to create a windows forms application which allows various help desk personnel to view active directory and powercampus (a sql db) data for users. The program must also be able to reset users passwords.
It will be installed on multiple desktop machines on our network.
This requires a certain level of permissions which we do not want to give to the Active Directory accounts of the personnel who will use it.
My working solution in this case is to create an Active Directory account for the application, give that account the necessary permissions and then have the application impersonate this account when it needs elevated permissions. I'm using advapi32.dll-LogonUser.
The username and password for the account are hard coded into the program.
My question is, how do i do this better? Is there some other way to give the application elevated permissions without giving those permissions to the users. Is there a better way to impersonate an active directory account. Last, i know
that hard coding the username and password is not very secure. I would prefer to encrypt the information somehow, but then the program must have the key to decrypt, which is only 1 step removed from what i have now. how can i safely and simply
encrypt the account password?
View Complete Post