Solved

.Net 4.5 application: Unable to determine Active Directory Group membership for nested groups

Posted on 2014-12-16
2
419 Views
Last Modified: 2015-02-16
I have an ASP.Net 4.5 application using integrated security.  I have no problem finding the groups the logged in user is directly a member off but am unable to return the groups they are a member of via nested group membership.  

The code below returns only user who are directly a member of the group:
var MyDomain = new PrincipalContext(ContextType.Domain, "MyDomain");
GroupPrincipal grp = GroupPrincipal.FindByIdentity(MyDomain, IdentityType.Name, "MyGroupName");

foreach (var p in grp.GetMembers(true))
	testing += p.Name + "<br>";

Open in new window


And this code returns only groups the user is directly a member of:

var MyDomain = new PrincipalContext(ContextType.Domain, "MyDomain");
UserPrincipal usr = UserPrincipal.FindByIdentity(MyDomain, Request.LogonUserIdentity.Name);

foreach (var p in usr.GetGroups())
	testing += "<br>" + p.Name;

Open in new window



How can I retrieve all the users associated with a given group or all the groups associated with a given user?

Ideally I want to ask "Is this user a member of this group" like the functionality the IsMemberOf() provides.  This is how I started this only to find that the method does not support nested groups either.
0
Comment
Question by:canuckconsulting
2 Comments
 
LVL 12

Accepted Solution

by:
Ammar Gaffar earned 500 total points
ID: 40517493
Hi,
Try this function
 private bool IsUserInGroup(string groupName, string userName, string domainName)
        {
            bool toReturn = false;
           
                // set up domain context
                PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domainName);
                // find a user                
                UserPrincipal user = UserPrincipal.FindByIdentity(ctx, userName);

                // find the group in question
                GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, groupName);
                if (user != null)
                {
                    // check if user is member of that group
                    if (user.IsMemberOf(group))
                    {
                        toReturn = true;
                    }
                }
            
            return toReturn;
        }

Open in new window


I am using this dll: System.DirectoryServices.AccountManagement
Path: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.5\System.DirectoryServices.AccountManagement.dll
0
 

Author Closing Comment

by:canuckconsulting
ID: 40612224
Sorry for delay replying
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article runs through the process of deploying a single EXE application selectively to a group of user.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question