Reputation: 1243
Check if the User belongs to a group that is also belongs to a another group in Active Directory Forest
We have a AD Forest, there are two different domains. Lets say that we have domain A and Domain B. We have a group "Admins" in the domain A. In this group were added several groups from the domain B. How can I check, whether a user belongs to the "Admin" group or to the group that is in "Admin" group?
Scenario I considered:
- Find Admins group in domain A.
- Read all groups and users that belong to the "Admin" group
- Find all groups for the current UserPrincipal It could be that principal belongs to groups in Domain A and domain B.
- Compare the two lists with respective SIDs
Is it safe to compare the SID of a group object from domain A with the SID of the very same group that was added(linked) to the domain B? are the SIDs always unique in terms of one Forest?
Update: One can use the solution proposed by Ashigore. Or the solution I wrote:
public IEnumerable<SecurityIdentifier> ReadAllMemebersForRecursive(string groupName)
{
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "domainname", "user to access", "password");
var groupPrincipal = GroupPrincipal.FindByIdentity(ctx, groupName);
if (groupPrincipal == null)
return Enumerable.Empty<SecurityIdentifier>();
return groupPrincipal.GetMembers(true).OfType<UserPrincipal>().Select(gp => gp.Sid);
}
IEnumerable<SecurityIdentifier> users = service.ReadAllMemebersForRecursive(groupName);
var identity = WindowsIdentity.GetCurrent();
var admin = users.Contains(identity.User);
Upvotes: 0
Views: 1704
Answers (1)
Reputation: 4678
Try using the System.DirectoryServices.AccountManagement namespace:
static GroupPrincipal[] GetUserAuthorisationGroups(string userPrincipalName)
{
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
using (UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.UserPrincipalName, userPrincipalName))
{
return user.GetAuthorizationGroups().OfType<GroupPrincipal>().ToArray();
}
}
GetAuthorizationGroups returns ALL security groups the user is a member of either directly or because of nested groups. Then you can find groups by whatever way you want:
GroupPrincipal[] groups = GetUserAuthorisationGroups(szUPN);
bool searchBySid = groups.Any(g => g.Sid == groupSid);
bool searchByDN = groups.Any(g => g.DistinguishedName == groupDN);
bool searchByName = groups.Any(g => g.Name == groupName);
Upvotes: 3
Related Questions
- Check if AD Group is Member of another group (recursive)
- ActiveDirectory DirectorySearcher: Check if user is member of a group
- Find if user belongs to group
- Determine if a user belongs to a particular AD Group using .Net
- Check whether current user is a member of an active directory group
- check user in ad groups within groups
- How to check if an Active Directory group is a member of a another Active Directory group
- How to Verify if the user belongs to an Active Directory user Group in C#.NET
- Finding users that are members of two active directory groups
- How to check whether a user belongs to an AD group and nested groups?