Using System.DirectoryServices.xxx is it possible to determine what AD Groups a user can manage?

Question

I'm attempting to load a list of groups for a user and wanting to show if they have authority to edit group membership or not.

What in the Active Directory indicates that a user can edit the members of a group and how can i look this up using System.DirectoryServices in 3.5+

Im using the following to obtain the groups for a user

PrincipalContext principalContext = new PrincipalContext(ContextType.Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(principalContext, userName);
if ( user != null)
{ 
    PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();
    foreach(Principal p in groups)
    {
        if ( p is GroupPrincipal)
            ...
    }
}

Any help appreciated

Answer 1

This is very time consuming, due to the way that permissions are managed on objects. A similar question might be, "How do I list every folder on the domain that an account can write data to". The reason this is time consuming is because each object holds it's own Access Control List (ACL).

I'm fairly sure the only way to find out every group you can manage would be to check every group and see what the permissions are on that group, then compare your group membership to the permissions on the group.

In Active Directory, how do I determine type of ActiveDirectoryAccessRule? has some code which may prove helpful if this is the route you end up going.

A saner approach might be to use the "Delegate" field to delegate permissions to certain groups, this field could be easily queried using LDAP, or let the person pick any group and then check the group's permissions after it's been selected.