ActiveDirectoryMembershipProvider and SqlRoleProvider: Maintenance?

In a new project, I'm planning to use ActiveDirectoryMembershipProvider and SqlRoleProvider to provide authentication and authorization, respectively.

One thing that isn't clear to me is how maintenance is handled -- when users that have logged in and been assigned roles are removed from Active Directory, how do you remove orphaned records in the mapping table used by SqlRoleProvider? I believe this is the aspnet_UsersInRoles table.

One could query Active Directory periodically for disabled users, then iterating through that list calling Roles.RemoveUserFromRoles(UserId, Roles.GetRolesForUser(UserId)) where User开发者_如何学GoId is also in aspnet_UsersInRoles. Hugely slow, I would imagine, for a large organization.

Or, alternatively, for each distint UserId in UsersInRoles, query ActiveDirectory and ensure the userAccountControl attribute's bitmask doesn't indicate the account is disabled. Also very inefficient, for a large number of application users.

An even more ugly but much more efficient approach would be to store last login date and periodically purge role associations for users that haven't logged in for, say, six months. This might cause headaches.

I'd love to hear suggestions.

Yes, you have to manually do the cleanup. Do you need instantaneous update? If you can do a batch process that runs nightly, that would be efficient since it isn't running during core operational hours. Or, it might make sense to kick off a process in another thread to handle the deletion of the role as soon as you are aware of it. Removing roles per user access shares the hit across users and makes them think that the application is slow.

How many times are roles removed? If a lot, then consider a batch process, if once in a few years, then it probably isn't as much of an issue to work it into the application during some process.

As far as how too, you can use the API, but the aspnet_UsersInRoles and aspnet_roles tables could be easily wiped on their own accord too via SQL Script.

HTH.