I currently have an intranet site which I programmed using ASP Classic
and VBScript.  I have a log-in page where users enter their username
and password which is then validated against a table in a SQL Server
2000 database.  I would like to be able grant them access to the site
based on their Windows log-in so that they won't have to remember yet
another password.  I know this is possible using ASP.Net but I would
like to use ASP Classic.  Also I would need to be able to determine
their (a) username (b) any groups they belong to (like Administrators)
as I limit portions of my site based on their group membership.

ASP User has this ability:
http://www.aspuser.com/

We have been using it on our ASP/VBScript intranet for quite some time. 

-David

David,

  Thanks for the link..I have visited that site before and while it
does look like it will do what I need I was hoping to be able to
program that functionality myself as opposed to relying on another
app.  Since you use it, can I just use it to get the username and
group membership's or does it automatically give rights to change
SAM/Active Directory information.  The reason I ask is because my Sys
Admin department is too keen on letting the knowledge management
department have control over user's active directory info.   Thanks
again for the link.

Bill

You can grant them access to the site based on their Windows log-in
simply by unenabling Anonymous access and enabling Integrated Windows
authentication in the IIS console -> Anonymous access and
authentication control -> Edit... dialogue.

Once authenticated with Integrated Windows, you can get their username
through Request.ServerVariables("LOGON_USER").

Then use ADSI (Active Directory Services Interface). Pretty easy in
classic ASP and VBScript. Then you can get a user object through ADSI
based on the logged in username and the domain name:

strUsername = Request.ServerVariables("LOGON_USER")
set myUser = GetObject("WinNT://yourDomainName/" & strUsername & ",user")

Now you can get information about the user with properties, such as:

myUser.FullName
myUser.HomeDirectory

The full list is here:
http://msdn.microsoft.com/library/en-us/adsi/adsi/iadsuser_property_methods.asp?frame=true

To get the groups a user belongs to you can try something like:
       strGroupList = ""
       set myDomain = GetObject("WinNT://yourDomainName")
       myDomain.Filter = Array("group")
       for each group in myDomain
           strGroupName = group.name
           set grp = getObject("WinNT://yourDomainName/" & strGroupName)
           if grp.isMember("WinNT://yourDomainName/" & strUsername) then
                strGroupList = strGroupList & strGroupName & "<br>"
           end if
           set grp = nothing
       next
       set myDomain = nothing
       response.write( strGroupList )

A couple of articles / references:
http://msdn.microsoft.com/library/en-us/adsi/adsi/iadsuser.asp?frame=true
http://www.4guysfromrolla.com/webtech/061202-1.shtml
http://www.eggheadcafe.com/articles/20010126.asp

Kevin Collins

If you would like to manage the security yourself and only want to
know their login id then you can get it from:

request.servervariables("LOGON_USER")

In you code you can allow/revoke access to different functionality.

G,
ASP ASP.NET and SQL Server Hosting Specialists
http://www.nt-webspace.com