Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to query AD to get memberships - BUT: including nested and build-in ones!

2 views
Skip to first unread message

Bernhar...@web.de

unread,
Oct 18, 2006, 4:02:34 PM10/18/06
to
Hi all,

I've came along this issue and I have no idea how to query the AD to get the
correct result. My AD has five groups and a user (UserX). These groups have
members like that:

[GroupA]
-Domain Users

[GroupB]
-GroupA

[GroupC]
-UserC

[GroupD]
-UserX

[GroupE]
-GroupD

I can use these groups to secure NTFS folders, Registry keys, etc. Windows
will grand or deny access by looking up UserX's membership.
So UserX is a 'member' of the following groups (directly, nested or through
built-in groups):

GroupA
GroupB
GroupD
GroupE

But he is NOT in:

GroupC

Now, how can I query the AD to get the same result for the UserX?

E.g. is there a method like IsMemberOf("GroupB") or IsMemberOf("GroupE") -
which would return 'true'?

How does Windows determine the (nested or built-in) membership?

Thanks in advance
Bernie

Im using .NET 2.0 and C#, or anything else that might help ;-)


Richard Mueller

unread,
Oct 18, 2006, 4:41:26 PM10/18/06
to
Hi,

Best is to use the tokenGroups attribute. This is a collection of group
Sids, including memberships due to nesting, and even the "primary" group.
The only memberships not included are cross-domain memberships. However,
values in the tokenGroups collection are byte arrays, so special coding is
needed. Also, you need to bind to the corresponding group to retrieve the
group name. I have a VBScript example linked here:

http://www.rlmueller.net/IsMember4.htm

I have not yet done this in .NET.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

<Bernhar...@Web.de> wrote in message
news:%23pmWuFv...@TK2MSFTNGP02.phx.gbl...

Joe Kaplan

unread,
Oct 18, 2006, 5:24:11 PM10/18/06
to
The easiest way to get a user's security group membership is via the logon
token. If you have authenticated them and can get a WindowsIdentity object,
you are all set. The Groups property has everything you need. It is also
possible to create a WindowsIdentity object for a user with only their
userPrincipalName (logon name) IF your code is running on Win2K3 or higher
and your AD is 2003 forest level. There is a constructor on WindowsIdentity
that takes a single string that does just that.

If you must resort to LDAP, then the tokenGroups attribute is the way to go
as Richard suggested. I'd suggest you just download ch 10 of my book from
the site in my sig as it shows exactly how to do that a few different ways
in the last part. The code samples may also be downloaded from the site.
If you like it, you might even consider buying the whole book. :) Don't
feel obligated though.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--


<Bernhar...@Web.de> wrote in message
news:%23pmWuFv...@TK2MSFTNGP02.phx.gbl...

Bernhar...@web.de

unread,
Oct 20, 2006, 12:13:18 AM10/20/06
to
Hi Richard,
thank you very much you.
You (and Joe) pointed me in the right direction (and on to your script
samples :-} )

Bernie

"Richard Mueller" <rlmuelle...@ameritech.NOSPAM.net> schrieb im
Newsbeitrag news:uTnKKXv8...@TK2MSFTNGP02.phx.gbl...

Bernhar...@web.de

unread,
Oct 20, 2006, 1:13:04 AM10/20/06
to
H Joe,
thanks a lot. Especially for the sample chapter. This is exactly what I
missed. For me Microsoft's documentation on AD is very poor. So using the AD
in my current projects is somehow fragmentary (and messy).

Looks like your book is missing in our office...

Bernie

"Joe Kaplan" <joseph....@removethis.accenture.com> schrieb im
Newsbeitrag news:ez7KCvv8...@TK2MSFTNGP04.phx.gbl...

0 new messages