I've came along this issue and I have no idea how to query the AD to get the
correct result. My AD has five groups and a user (UserX). These groups have
members like that:
[GroupA]
-Domain Users
[GroupB]
-GroupA
[GroupC]
-UserC
[GroupD]
-UserX
[GroupE]
-GroupD
I can use these groups to secure NTFS folders, Registry keys, etc. Windows
will grand or deny access by looking up UserX's membership.
So UserX is a 'member' of the following groups (directly, nested or through
built-in groups):
GroupA
GroupB
GroupD
GroupE
But he is NOT in:
GroupC
Now, how can I query the AD to get the same result for the UserX?
E.g. is there a method like IsMemberOf("GroupB") or IsMemberOf("GroupE") -
which would return 'true'?
How does Windows determine the (nested or built-in) membership?
Thanks in advance
Bernie
Im using .NET 2.0 and C#, or anything else that might help ;-)
Best is to use the tokenGroups attribute. This is a collection of group
Sids, including memberships due to nesting, and even the "primary" group.
The only memberships not included are cross-domain memberships. However,
values in the tokenGroups collection are byte arrays, so special coding is
needed. Also, you need to bind to the corresponding group to retrieve the
group name. I have a VBScript example linked here:
http://www.rlmueller.net/IsMember4.htm
I have not yet done this in .NET.
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
<Bernhar...@Web.de> wrote in message
news:%23pmWuFv...@TK2MSFTNGP02.phx.gbl...
If you must resort to LDAP, then the tokenGroups attribute is the way to go
as Richard suggested. I'd suggest you just download ch 10 of my book from
the site in my sig as it shows exactly how to do that a few different ways
in the last part. The code samples may also be downloaded from the site.
If you like it, you might even consider buying the whole book. :) Don't
feel obligated though.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<Bernhar...@Web.de> wrote in message
news:%23pmWuFv...@TK2MSFTNGP02.phx.gbl...
Bernie
"Richard Mueller" <rlmuelle...@ameritech.NOSPAM.net> schrieb im
Newsbeitrag news:uTnKKXv8...@TK2MSFTNGP02.phx.gbl...
Looks like your book is missing in our office...
Bernie
"Joe Kaplan" <joseph....@removethis.accenture.com> schrieb im
Newsbeitrag news:ez7KCvv8...@TK2MSFTNGP04.phx.gbl...