How To Check Whether A User Belongs To An AD Group And Nested Groups
Apr 21, 2010
I have an ASP.NET 3.5 application using Windows Authentication and implementing our own RoleProvider.
Problem is we want to restrict access to a set of pages to a few thousand users and rathern than inputing all of those one by one we found out they belong to an AD group.
The answer is simple if the common group we are checking membership against the particular user is a direct member of it but the problem I'm having is that if the group is a member of another group and then subsequently member of another group then my code always returns false.
For example: Say we want to check whether User is a member of group E, but User is not a direct member of *E", she is a member of "A" which a member of "B" which indeed is a member of E, therefore User is a member of *E"
One of the solutions we have is very slow, although it gives the correct answer
using (var context = new PrincipalContext(ContextType.Domain))
{
using (var group = GroupPrincipal.FindByIdentity(context, IdentityType.Name, "DL-COOL-USERS"))
{
var users = group.GetMembers(true); // recursively enumerate
return users.Any(a => a.Name == "userName");
}
}
The original solution and what I was trying to get to work, using .NET 3.5 System.DirectoryServices.AccountManagement and it does work when users are direct members of the group in question is as follows:
public bool IsUserInGroup(string userName, string groupName)
{
var cxt = new PrincipalContext(ContextType.Domain, "DOMAIN");
var user = UserPrincipal.FindByIdentity(cxt, IdentityType.SamAccountName, userName);
if (user == null)
{
return false;
}
var group = GroupPrincipal.FindByIdentity(cxt, groupName);
if (group == null)
{
return false;
}
return user.IsMemberOf(group);
}
The bottom line is, we need to check for membership even though the groups are nested in many levels down.
I have a windows user accounts which i just created take XYZ for example.
This XYZ belongs to a User group and a custom group i created in Computer Management --> Local users and groups.
So in properties i see that the user belongs to the 2 groups.
Now i want to get those groups and display them. any suggestions???
i have done this but this is not right as it gives me the roles of SQL (i think)
here is what i did:
after logging in and impersonating i call the function
getUserGroups();
private void getUserGroups() { // collect the user domain and identity string[] arr = System.Web.HttpContext.Current.Request. LogonUserIdentity.Name.Split('\'); // update the display to show // the captured domain and user if (arr.Length > 0) { new GUIUtility().LogMessageToFile("User Name" + arr[0].ToString()); new GUIUtility().LogMessageToFile("User Domain" + arr[1].ToString()); } // create an arraylist and populate // it with the list of groups that // the current user belongs to ArrayList al = new ArrayList(); al = GetGroups(); // check to see if the user belongs // to a specific group and create // a list of all of the user's groups foreach (string s in al) { // add this one to the list new GUIUtility().LogMessageToFile("Group" + s); // check to see if the user // belongs to a specific group //if (s == "BXSWLT\SomeCustomGroup") //{ // // change the label to show // // there was a match // lblMemberOfGroup.Text = "YES"; //} } } public ArrayList GetGroups() { ArrayList groups = new ArrayList(); foreach (System.Security.Principal.IdentityReference group in System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups) { groups.Add(group.Translate(typeof (System.Security.Principal.NTAccount)).ToString()); } return groups; }
the Result i get is:
9/8/2010 5:57:22 PM: User Name NT AUTHORITY. 9/8/2010 5:57:22 PM: User Domain IUSR. 9/8/2010 5:57:22 PM: Group Everyone. 9/8/2010 5:57:22 PM: Group BUILTINUsers. 9/8/2010 5:57:22 PM: Group NT AUTHORITYAuthenticated Users. 9/8/2010 5:57:22 PM: Group NT AUTHORITYThis Organization. 9/8/2010 5:57:22 PM: Group LOCAL.
In my organization we use nested groups. For a particular usage, we have a group (let's assume that the group name "kuku"), and the names of all the nested groups under it contains "kuku" as well.
We may assume that no other group in the LDAP has "kuku" in the name.
I need to create a filter which will return all the users which belong to one of the "kuku"s group.
Obviously, using this filter will bring only the head kukus
(&(&(objectclass=user)(objectclass=person))(memberOf=CN=kuku,cn=...rest of the group DN...))
How can I use wild card to fetch all users which belong to any kuku?
For example: (&(&(objectclass=user)(objectclass=person))(memberOf=CN=.*kuku.*))
i have the code to get the members of a local group example administrators
private void GetUserGrps() { using (DirectoryEntry groupEntry = new DirectoryEntry("WinNT://./Administrators,group")) { foreach (object member in (IEnumerable)groupEntry.Invoke("Members")) { using (DirectoryEntry memberEntry = new DirectoryEntry(member)) { new GUIUtility().LogMessageToFile(memberEntry.Path); } } }
Is there a way to get the groups a local user belongs to using directory services?
without using activedirectory or domain in it because i want for the local machine only and not for a domain.
I'm using a linq group by query (with two grouping parameters) and would like to use the resulting data in a nested repeater.
var dateGroups = from row in data.AsEnumerable() group row by new { StartDate = row["StartDate"], EndDate = row["EndDate"] }; "data" is a DataTable from an SqlDataAdapter-filled DataSet. "dateGroups" is used in the parent repeater, and I can access the group keys using Eval("key.StartDate") and Eval("key.EndDate").
Since dateGroups actually contains all the data rows grouped neatly by Start/End date, I'd like to access those rows to display the data in a child repeater. To what would I set the child repeater's DataSource? I have tried every expression in markup I could think of; I think the problem is that I'm trying to access an anonymous member (and I don't know how.) In case it doesn't turn out to be obvious, what would be the expression to access the elements in each iteration of the child repeater? Is there an expression that would let me set the DataSource in the markup, or will it have to be in the codebehind on some event in the parent repeater?
i have a code to get the groups a user belongs to.
try { DirectoryEntry adRoot = new DirectoryEntry(string.Format("WinNT://{0}", Environment.UserDomainName)); DirectoryEntry user = adRoot.Children.Find(completeUserName, "User"); object obGroups = user.Invoke("Groups"); foreach (object ob in (IEnumerable)obGroups) { // Create object for each group. DirectoryEntry obGpEntry = new DirectoryEntry(ob); listOfMyWindowsGroups.Add(obGpEntry.Name); } return true; } catch (Exception ex) { new GUIUtility().LogMessageToFile("Error in getting User MachineGroups = " + ex); return false; }
the above code works fine when i have to find the groups of a local user but
for a domain user it returns a value "Domain User" which is kind of wierd as it is a part of 2 local groups.
Research
I did some finding and got that i am being returned the primary group of the domain user
called "Domain User" group
but what i actually want is the groups of the local machines the domain user is a part of... i cannot get that.. any suggestions
another code using LDAP
string domain = Environment.UserDomainName; DirectoryEntry DE = new DirectoryEntry("LDAP://" + domain, null, null, AuthenticationTypes.Secure); DirectorySearcher search = new DirectorySearcher(); search.SearchRoot = DE; search.Filter = "(SAMAccountName=" + completeUserName + ")"; //Searches active directory for the login name search.PropertiesToLoad.Add("displayName"); // Once found, get a list of Groups try { SearchResult result = search.FindOne(); // Grab the records and assign them to result if (result != null) { DirectoryEntry theUser = result.GetDirectoryEntry(); theUser.RefreshCache(new string[] { "tokenGroups" }); foreach (byte[] resultBytes in theUser.Properties["tokenGroups"]) { System.Security.Principal.SecurityIdentifier mySID = new System.Security.Principal.SecurityIdentifier(resultBytes, 0); DirectorySearcher sidSearcher = new DirectorySearcher(); sidSearcher.SearchRoot = DE; sidSearcher.Filter = "(objectSid=" + mySID.Value + ")"; sidSearcher.PropertiesToLoad.Add("distinguishedName"); SearchResult sidResult = sidSearcher.FindOne(); if (sidResult != null) { listOfMyWindowsGroups.Add((string)sidResult.Properties["distinguishedName"][0]); } } } else { new GUIUtility().LogMessageToFile("no user found"); } return true; } catch (Exception ex) { new GUIUtility().LogMessageToFile("Error obtaining group names: " + ex.Message + " Please contact your administrator."); // If an error occurs report it to the user. return false; }
this works too but i get the same result "Domain Users" . Please can some1 tell me how to get the local machine groups...?
I have a table with a field "item id" that I am joining to two other tables that have multiple records for each item id. In other words, I have 1 item id, 5 records in another table tied to this item and 5 records in another table tied to this item. I am trying to build a report that shows the item and then follow the item with two groupings. Each group would of course have the 5 records per the other two tables. Here is my problem. I can get the report to show an item and one of the detail group of 5 records but for the life of me I cannot get the second group of 5 to group and print. Both groups of 5 get either lumped together or it will print them 1 record at a time switching back and forth. How do you do this? Do I have to do something special in the Sql query or something.
I have a piece of code which gets clients list from a database and write to XML as follows:
[Code]....
Which Creates XML file as follows:
[Code]....
I need to group the client list in my online site to show(group) each 4 clients within separate div and ul
[Code]....
My target is to use one of the following two directions:
1 - Find a solution to group data while generating the XML file to groups of 4 items
[Code]....
2 - Try to group the xml in my repeater by finding a solution for nasted-like repeater or custom item template and separator template to make the output like the above div/ul structure
I also have no problem if we can do this through the SQL stored procedure
I'm working on a portal, and I need to check users conection on the ldap.
And if users are members of a special group then it works.
I've exactly used this link to make it works : http://msdn.microsoft.com/en-us/library/ff649227.aspx (almost work)
My point is : my ldap path seems good, no error anymore, when I log with my username and password.But when I querry it, it returns null, but I'm sure my user is in the group :
// Bind to the native AdsObject to force authentication. Object obj = entry.NativeObject; DirectorySearcher search = new DirectorySearcher(entry); search.Filter = "(SAMAccountName=" + username + ")"; search.PropertiesToLoad.Add("cn"); SearchResult result = search.FindOne(); if(null == result) { return false; }
I'm a normal user, i test with my account. I'm a member of the group that I'm looking for.
I have enabled User Rolls and assigned several Roll names such as 10, 11, 12, etc. I have a SQL Table that contains various fields of information including one named AuthorizedUserRoll, it's nchar(2).
A logged in user should only see the records in Gridview that matches his/her roll.
I can access the website I've created on my local machine in debug mode; and with my domain account as a local administrator, if I do this:
[Code]....
I can still access the website; and with my domain account in a Domain Group named "DomainDomainLocalSecurityGroup", if I do this:
[Code]....
I can still access the website; HOWEVER, if I create a Local Group on my machine named "LocalMachineGroup" and I add "DomainMyDomainUserName" to this group and I do this:
[Code]....
I get an Access Denied error trying to access the website. What I want to do is, have a group on my local machine (for testing), on a test web server, and on a production web server named "MyWebsiteUserAccess" with the same Domain Group (filled with Domain Users allowed access to the site) in all of these local groups; so that when I test the web application on my local machine, on my test web server and on my production web server, I don't have to change the Web.config file to have it work on each AND if the Domain Group name ever has to change, it won't affect access to the website.
What am I overlooking or is this even possible to do this way? I understand that there is a way to do Role Management through ASP.NET but I don't understand that well enough yet to implement that (and will probably go that route once I've done the research on how to best implement it for purpose of access control of this intranet site).
I have a user that when I attempt to enumerate her groups using either System.Security.Principal.WindowsIdentity.GetCurrent().Groups on user's computer or System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups on the IIS server, I get a list of their old groups, not their new. I have checked the DC that they authenticate to and the ASP.NET page is running inside a SharePoint instance so the LogonUserIdentity most like is being provided from there Kerberos ticket. Should I be looking up the groups directly from the AD instead of relying on the WindowsIdentity or LogonUserIdentity?
I'm new to LINQ and C# but I have an xml file generated from a database table. Within the XML document is a element called "group", I would like to wrap all group elements with the element called "groups".
I have group of radio buttons, each group ranges from 5 - 27 radiobuttons. And if any radio button in a group is checked I store 1 in db else I store 0. Now I'm checking each radiobutton using if loop to see if they are checked and set database value. I'm also trying to use the code below. Is there a good/better approach to check if they are checked or not?Current code:
'rname is radiobutton prefix for a given group 'cnt is number of radiobuttons in the group Private Function RadioIsChecked(ByVal rname As String, ByVal cnt As Integer) As Integer
In asp.net/c#, is there a way to find all of the AD level user groups from a given domain in which the logged in user belongs to? E.g. I have a domain level user and few groups. I want to pass in the domain name and the logged in user's user name and get a list of AD groups of that particular domain.
I am using tabstrip control. each tab page have set of controls and each have different validation group. I have a common button to insert / update the tab datas. Now when a user entered the information in the first tab and press insert button, i need to validate second page also.
So i explicitely called Page.validate() metyhod in the insert button to ensure all the validation passed or not. All working fine. But i need to focus the second tab when user finished first page and not finished ssecond page. How can i focus the tab. I mean any way to check which validation group fails?
I've been searching for a solution to get a list of the AD Groups for at specific AD user. I'll need the current user logged in and would like to query by the username. The problem is that all the solutions I find on the web uses System.DirectoryServices - and I can't find the dll in my .Net 4.0 webproject (I only have System.DirectoryServices.AccountManagement) - so I can't use any of the examples that I've found. Is there a difference way to query the AD through 4.0 compared to 2.0? I could really use some examples, articles or just good advise to get moving - I'm kind of stuck at the moment.
