Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / .NET SDK / January 2005

Tip: Looking for answers? Try searching our database.

How do I determine if the current user is a member of a domain gro

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
David Thielen - 06 Jan 2005 17:37 GMT
Hi;

How can I determine if the current user is a member of a given domain group?

I can do Thread.CurrentPrincipal.IsInRole() for local groups. But it doesn't
work for domain groups (see previous post WindowsPrincipal.IsInRole always
failing).

So how can I get a result for something like IsInRole("Domain Users")?

Signature

thanks - dave

Reply to this Message
"Peter Huang" [MSFT] - 07 Jan 2005 07:54 GMT
Hi

First of all, I would like to say that the tool whoami and the IsInRole
method will works in my side when logon as a common user. So I guess that
your account did not have the rights to query the AD information about the
group and that's why I suggest you use the domain admin, I just wants to
isolate the problem that we need to firstly ensure the code is fine.

We also try to use the ADSI code to do the job. But as the whoami tool did
not work for you, so I think the code below may not work properly. I have
tested the code on my side which works fine for a common domain users
account.

NOTE: Because the whoami
The IsMember function will work for common group, except the primary group.
e.g. the Domain Users is the primary group, we need to use another approach
to handle such case, use GetPrimaryGroup to get the primary group to see
certain user's primary and do the string match to get the result.

        private void button2_Click(object sender, System.EventArgs e)
        {
            string groupPath = "LDAP://CN=Test Group,CN=Users,DC=D1,DC=D2,DC=D3";
            string userPath = "LDAP://CN=Peter Huang,CN=Users,DC=D1,DC=D2,DC=D3";
            DirectoryEntry user = new DirectoryEntry(userPath);
            MessageBox.Show(GetPrimaryGroup(user));
            DirectoryEntry group = new DirectoryEntry(groupPath);
            if(true == (bool)group.Invoke("IsMember", new string[]{userPath}))
            {
                MessageBox.Show("User is in group");
            }
            else
            {
                MessageBox.Show("User is NOT in group");
            }
        }
        private string GetPrimaryGroup(DirectoryEntry aEntry)
        {
            int primaryGroupID = (int)aEntry.Properties["primaryGroupID"].Value;
            byte[] objectSid = (byte[])aEntry.Properties["objectSid"].Value;

            StringBuilder escapedGroupSid = new StringBuilder();

            // Copy over everything but the last four bytes(sub-authority)
            // Doing so gives us the RID of the domain
            for(uint i = 0; i < objectSid.Length - 4; i++)
            {
                escapedGroupSid.AppendFormat("\\{0:x2}", objectSid[i]);
            }

            //Add the primaryGroupID to the escape string to build the
            // SID of the primaryGroup
            for(uint i = 0; i < 4; i++)
            {
                escapedGroupSid.AppendFormat("\\{0:x2}",
                    (primaryGroupID & 0xFF));
                primaryGroupID >>= 8;
            }

            //Search the directory for a group with this SID
            DirectorySearcher searcher = new DirectorySearcher();
 
            searcher.Filter = "(&(objectCategory=Group)(objectSID=" +
                escapedGroupSid.ToString() + "))";
 
            searcher.PropertiesToLoad.Add("distinguishedName");
 
            return
                searcher.FindOne().Properties["distinguishedName"][0].ToString();
        }

Hope this helps.

Best regards,

Perter Huang
Microsoft Online Partner Support

Signature

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Reply to this Message
David Thielen - 10 Jan 2005 21:15 GMT
Hi;

I tried this code (keeping it very simple):

string groupPath =
"LDAP://CN=NxAcEnvironmentCreate,CN=Users,DC=D1,DC=D2,DC=D3";
string userPath = "LDAP://CN=dthielen,CN=Users,DC=D1,DC=D2,DC=D3";
DirectoryEntry _user = new DirectoryEntry(userPath);
DirectoryEntry _group = new DirectoryEntry(groupPath);
bool b = (bool)_group.Invoke("IsMember", new string[]{userPath});
Console.Out.WriteLine("ldap = " + b);

And on the Invoke call I got this exception:
"A referral was returned from the server"

Any ideas?

thanks - dave

> Hi
>
[quoted text clipped - 75 lines]
> Get Secure! - www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no rights.
Reply to this Message
"Peter Huang" [MSFT] - 11 Jan 2005 05:36 GMT
Hi,

For the error "A referral was returned from the server", I think there is
many possibilities which may cause the error.

For now I think we would better to move the focus to the problem that the
whoami tool did not work, I will follow up in that thread, if you still
have any concern, please feel free to post here.
Subject: IsInRole fails for domain groups - on my computer only
Newsgroups: microsoft.public.dotnet.framework.sdk

Best regards,

Perter Huang
Microsoft Online Partner Support

Signature

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Reply to this Message
David Thielen - 10 Jan 2005 21:53 GMT
The following two approaches also throw exceptions:
DirectoryEntry deUser = new DirectoryEntry("LDAP://CORP/dthielen");
foreach(object oMember in deUser.Properties["memberOf"])
    Console.Out.WriteLine("group = " + oMember.ToString());
throws COMException: "An invalid dn syntax has been specified"

And:
DirectoryEntry groupEntry = new DirectoryEntry(
"WinNT://NxAcEnvironmentCreate,group");
bool val = (bool)groupEntry.Invoke( "IsMember","WinNT://CORP/dthielen");
Console.Out.WriteLine("AD = " + val);
throws: ExternalException "Unknown error (0x80005000)"

any ideas?

thanks - dave
Reply to this Message
David Thielen - 10 Jan 2005 22:43 GMT
Hi;

Since you said it worked on your system, I had several others try here.
"whoami /groups" lists domain groups on 4 other compters here. But when the
domain admin logged in on my computer, it failed.

So it is an issue on my computer. (3 days of hitting my head against a wall
over this and the code was good all along!!!)

So, any ideas why it isn't working on my computer? It can't be a user
permission issue because the domain administrator logged in to my computer
and whoami showed no domain groups on my system - but did when he did it on
his own system.

??? - thanks - dave

> Hi
>
[quoted text clipped - 8 lines]
> tested the code on my side which works fine for a common domain users
> account.
...
Reply to this Message
David Thielen - 12 Jan 2005 17:57 GMT
The solution (thanks to Peter) is to switch the computer from the domain to a
workgroup and then back to the domain. Then it works. No idea why.

thanks - dave

> Hi;
>
[quoted text clipped - 5 lines]
>
> So how can I get a result for something like IsInRole("Domain Users")?
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.