Check AD group membership

R

Rob Oldfield

Does anyone have some code that will allow me to tell if the current user of
a windows forms app is in a particular AD group?

I've looked at the IsInRole way of doing it, using something like this....

Private Function InGroup(ByVal grp As String) As Boolean
Dim id As WindowsIdentity
id = WindowsIdentity.GetCurrent()
Dim p As New WindowsPrincipal(id)
InGroup = p.IsInRole("DomainName\" + grp)
End Function

....but that only works for built-in groups like Domain Users and Domain
Admins (do I have that correct?) so is of no use to me. The groups I want
to check are custom made new ones.

I've also looked at something like this...

Dim entry As New DirectoryServices.DirectoryEntry(LDAP://Domain_Name)
Dim mySearcher As New System.DirectoryServices.DirectorySearcher(entry)
Dim result As System.DirectoryServices.SearchResult
mySearcher.Filter = ("(anr= MyGroupName)")

....which gets me the correct security group, but I'm then stuck on how I can
get at its members.

Any ideas would be most appreciated.
 
N

Nico Debeuckelaere

Rob,

I don't see a mistake in your code but IsInRole also works for custom roles.
I use that function a lot with non built-in groups.

Regards,

--

Nico Debeuckelaere

ND-Sign BVBA (Microsoft Certified Partner since 2004)
Pierstraat 135
B-2840 Rumst
URL: http://www.nd-sign.com
== ND-Sign, Designed for you ==
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
R

Rob Oldfield

Thanks for the info Nico, but I still can't get it to work properly. I have
actually found a non-built in group that reports my membership correctly,
but if I copy that group and check the new group then my function is
reporting incorrectly. Do you know if there is any limitation on the groups
that this works with - 'not in lower level OUs' or 'pre Win 2K name has to
be the same as the Win 2K name' kind of thing?

Thanks again.
 
R

Rob Oldfield

OK. Problem solved. I was working on a machine over a WAN connection to
the main DC. Looks like I just wasn't leaving it long enough for changes in
group membership to filter down (even though I was checking my local copy of
ADUC before expecting it to work). Just installed a dummy app onto a
machine connected via LAN to the main DC and everything works fine.

Thanks for keeping me on the right lines Nico. Very useful to know that my
code worked elsewhere.
 
N

Nico Debeuckelaere

My pleasure ;0)

Rob Oldfield said:
OK. Problem solved. I was working on a machine over a WAN connection to
the main DC. Looks like I just wasn't leaving it long enough for changes in
group membership to filter down (even though I was checking my local copy of
ADUC before expecting it to work). Just installed a dummy app onto a
machine connected via LAN to the main DC and everything works fine.

Thanks for keeping me on the right lines Nico. Very useful to know that my
code worked elsewhere.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to display username of visitor to page 5
Simple Question Related TO ADS 2
AD in Web Application 12
Query and Set Terminal Services profile path in VB.Net 0
Using System.DirectoryServices to get users names and email addresses 0
memory leak using system.windows.forms.timer 14
IsRemoteAdmin function 1
AD Group Ownership 1

Top