Reputation: 34909
How can I determine if an AD group contains a given DirectoryEntry from another (trusted) domain?
I am trying to beef up my code that determines whether a user is a member of a given AD group. It essentially works except when the member of the group happens to be from another (trusted) domain because it is stored as a foreignsecurityprincipal.
Given that I have a valid DirectoryEntry object for both the Group I want to test, and the Account I want to check for, I need a DirectorySearcher Filter string that will allow me to confirm that the account is in that group, even if the account is a foreignsecurityprincipal.
(VB.NET code Sample demonstrating the issue)
Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User
DSearcher = New DirectorySearcher(ContainerGroup, "(WHATCANIPUTINHERE)", New String() {"member;Range=0-5000"}, SearchScope.Base)
DSearcher.AttributeScopeQuery = "member"
'If an object is found, the account was in the group
Return (DSearcher.FindOne() IsNot Nothing)
Upvotes: 3
Views: 1952
Answers (1)
Reputation: 34909
Okay. Found it. Here's the trick.
I am trying to beef up my code that determines whether a user is a member of a given AD group. It essentially works except when the member of the group happens to be from another (trusted) domain because it is stored as a foreignsecurityprincipal.
(VB.NET code Sample)
Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User
DSearcher = New DirectorySearcher
Dim DSearcher As New DirectorySearcher(ContainerGroup, getLDAPQueryStringUsingSID(containedGroup), New String() {"member;Range=0-5000"}, SearchScope.Base)
Return (DSearcher.FindOne() IsNot Nothing)
** Helper Methods **
Private Function getLDAPQueryStringUsingSID(ByVal DEObject As DirectoryEntry) As String
Return "(objectSid=" + getSDDLSidForDirectoryEntry(DEObject) + ")"
End Function
Private Function getSDDLSidForDirectoryEntry(ByVal DEObject As DirectoryEntry) As String
Dim bytes As Byte() = CType(DEObject.Properties("objectSid").Value, Byte())
Dim sid As New System.Security.Principal.SecurityIdentifier(bytes, 0)
Return sid.ToString
End Function
Upvotes: 1
Related Questions
- How to find trusted domain groups using Ldap query
- How to check if user is a member of crossdomain group in ldap?
- Determine if a user belongs to a particular AD Group using .Net
- LDAP Java - Search for group membership across trusted domains
- How to check if an Active Directory group is a member of a another Active Directory group
- How can I query if a user of one domain is a member of a group in another AD domain?
- Query ActiveDirectory for groups, owned by groups, where i'm a member
- Get user AD groups from other domain
- Determining Cross Domain Active Directory Group Membership
- Ask ActiveDirectory if a machine is a member of a group