CODEWITHSUNDEEP
c#active-directorydirectoryservices
jgauffin
jgauffin

Reputation: 101130

Checking group membership

I'm using UserPrincipal.FindByIdentity(ctx, "SomeAdminAccountName").GetGroups() to authorize a user against a group in active directory. It works fine for simple groups, but not for nested groups. Let's say that I got the following structure:

Administrators members:
  SomeAdminAccountName

Users members
  Administrators
  SomeUserAccountName

The users group contains the administrator group (since all administrators should be able to do what users can). The problem is that the UserPrincipal.FindByIdentity(ctx, "SomeAdminAccountName").GetGroups() do not include the Users group.

If I use GroupPrincipal.FindByIdentity(ctx, groupName).Members I do see that the Administrator group is part of it, but the administrator account is not included.

My question is:

Do I need to do a recursive group check to find a user or is there another way that I haven't found?

Upvotes: 0

Views: 304

Answers (2)

Jacob Proffitt
Jacob Proffitt

Reputation: 12768

You could be the victim of Windows User Access Control (Vista or Win7). When an admin logs on with UAC enabled, windows creates a "split token"—i.e. they run as if their account isn't part of the admin group unless/until their permissions for the running process are explicitly elevated. You can verify if this is the case by elevating the executing process by running as admin (or starting VS as admin if you're running under VS debug mode).

Upvotes: 1

BellBat
BellBat

Reputation: 145

To check a user against a group I would try IsMemberOf.

You may also approach the problem from the other direction, finding the group and get all members using the GetMembers function with the recursive flag set. As most applications use a small number of groups you should be able to cache this for reuse, in my work 5 - 30 minutes is usually acceptable caching time.

Upvotes: 2

Related Questions