Avatar of GromitW
GromitWFlag for United States of America asked on

ASP.NET 2.0 C# Active Directory Search User Groups

I need to search an Active Directory security group that may include nested security groups to see if a user is in the security group or nested security groups within the group.  I am using ASP.NET 2.0 C#.  Thanks.
.NET ProgrammingActive DirectoryC#

Avatar of undefined
Last Comment
Chris Dent

8/22/2022 - Mon
Chris Dent


Hmm I can show you how in VbScript, it's a little tricky for me to convert that to C# given my extremely limited knowledge of it. Anyway, it may help, and it's better than no response at all.

The Function does the following:

1. Original call with Group Name to test and x as 0. e.g. booIsMember = RecursiveIsMember("Some Group",, 0)
2. On first pass it links to the User, effectively as a Directory Entry, then pulls the "memberOf" attribute
3. Checks whether the group matches "Some Group"
4. If the name doesn't match it pulls the "memberOf" attribute for each group and passes it back to the Function. "memberOf" is passed as arrGroups.
5. Repeats 3 and 4 until either no groups remain or a match is found.

There is a potential problem if it bumps into circular nesting. e.g. Group 1 is in Group 2. Group 2 is in Group 3. Group 3 is in Group 1. Never bumped into that in production though.

x and y are only for debugging, displays groups as a tree to highlight nesting.

Chris
Function RecursiveIsMember(strGroup, arrGroups, x)
	' Return Type: Boolean
	' 
	' Goes through Nested Groups until either booIsMember is True or there are no more groups to check
	
	Dim objADSystemInfo, objUser, objGroup
	Dim strGroupDN
	Dim arrTemp
	Dim booIsMember
 
	booIsMember = False
 
	On Error Resume Next
	If Not IsArray(arrGroups) Then
		Set objADSystemInfo = CreateObject("ADSystemInfo")
		Set objUser = GetObject("LDAP://" & objADSystemInfo.UserName)
		arrGroups = objUser.GetEx("memberOf")
		Set objUser = Nothing
		Set objADSystemInfo = Nothing
	End If
 
	For Each strGroupDN in arrGroups
		Err.Clear
		Set objGroup = GetObject("LDAP://" & strGroupDN)
		' WScript.Echo Space(x) & objGroup.Get("name")
		If Err.Number = 0 Then
			If LCase(objGroup.Get("name")) = LCase(strGroup) Then
				booIsMember = True
				Exit For
			Else
				Err.Clear
				arrTemp = objGroup.GetEx("memberOf")
				If Err.Number = 0 Then
					y = x + 2
					booIsMember = IsMember(strGroup, arrTemp, y)
					If booIsMember = True Then
						Exit For
					End If
				End If
			End If
		End If
		Set objGroup = Nothing
	Next
	On Error Goto 0
	IsMember = booIsMember
End Function

Open in new window

ASKER
GromitW

Thanks Chris.  However, what about using the sid since the memberOf does not pick up the primary group?  
ASKER CERTIFIED SOLUTION
Chris Dent

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck