J
Jeff Williams
How can I get a list of the Groups both Local and Domain groups a User
belongs to.
belongs to.
D
Dave Sexton
Hi,
On a Windows Server 2003 domain you can construct a WindowsIdentity by
passing in the user's name in the form, name@domain:
"WindowsIdentity(String) Constructor"
http://msdn2.microsoft.com/en-us/library/td3046fc.aspx
Then you can access the Groups property (2.0 framework only):
"WindowsIdentity.Groups Property"
http://msdn2.microsoft.com/en-us/library/system.security.principal.windowsidentity.groups.aspx
If you can't use the above solution since you are using a different version
of the framework or a different domain then I think you'll have to resort to
the unmanaged APIs such as LogonUser:
"LogonUser"
http://msdn2.microsoft.com/en-us/library/aa378184.aspx
The above will get you the User's token, which you can pass to the following
function:
"GetTokenInformation"
http://msdn2.microsoft.com/en-us/library/aa446671.aspx
Specify the value of TOKEN_GROUPS for the TokenInformationClass argument.
(Note that I haven't used these APIs myself)
You'll have to use P/Invoke for this, of course
On a Windows Server 2003 domain you can construct a WindowsIdentity by
passing in the user's name in the form, name@domain:
"WindowsIdentity(String) Constructor"
http://msdn2.microsoft.com/en-us/library/td3046fc.aspx
Then you can access the Groups property (2.0 framework only):
"WindowsIdentity.Groups Property"
http://msdn2.microsoft.com/en-us/library/system.security.principal.windowsidentity.groups.aspx
If you can't use the above solution since you are using a different version
of the framework or a different domain then I think you'll have to resort to
the unmanaged APIs such as LogonUser:
"LogonUser"
http://msdn2.microsoft.com/en-us/library/aa378184.aspx
The above will get you the User's token, which you can pass to the following
function:
"GetTokenInformation"
http://msdn2.microsoft.com/en-us/library/aa446671.aspx
Specify the value of TOKEN_GROUPS for the TokenInformationClass argument.
(Note that I haven't used these APIs myself)
You'll have to use P/Invoke for this, of course
M
Mark Rae
You'll have to use P/Invoke for this, of course
System.DirectoryServices will do all of this, and much more, for you without
recourse to p/invoke...
using System;
using System.Collections.Generic;
using System.DirectoryServices;
public static List<string> GetGroupsForUser(string pstrUser)
{
/// <summary>
/// Gets the groups a user is a member of
/// </summary>
/// <param name="pstrGroup">ActiveDirectory group to evaluate</param>
/// <returns>List<string> of groups for pstrUser</returns>
DirectorySearcher objDS = null;
SearchResult objSR = null;
DirectoryEntry objUser = null;
List<string> lstGroups = new List<string>();
try
{
objDS = new DirectorySearcher("objectCategory=User");
objDS.Filter = "(SAMAccountName=" + pstrUser + ")";
objSR = objDS.FindOne();
objUser = new DirectoryEntry(objSR.Path);
PropertyCollection colProperties = objUser.Properties;
PropertyValueCollection colPropertyValues = colProperties["memberOf"];
foreach (string strGroup in colPropertyValues)
{
lstGroups.Add(GetSAMAccountName(strGroup).ToLower());
}
return lstGroups;
}
catch (Exception)
{
throw;
}
finally
{
if (objUser != null)
{
objUser.Close();
objUser.Dispose();
objUser = null;
}
if (objSR != null)
{
objSR = null;
}
if (objDS != null)
{
objDS.Dispose();
objDS = null;
}
}
}
public static string GetSAMAccountName(string pstrPath)
{
/// <summary>
/// Gets a SAM Account Name from a given LDAP path
/// </summary>
/// <param name="pstrPath">LDAP path to bind to</param>
DirectoryEntry objADEntry = null;
try
{
objADEntry = new DirectoryEntry("LDAP://" + pstrPath);
return objADEntry.Properties["SAMAccountName"].Value.ToString();
}
catch (System.Runtime.InteropServices.COMException)
{
return String.Empty;
}
catch (System.NullReferenceException)
{
return String.Empty;
}
catch (Exception)
{
throw;
}
finally
{
if (objADEntry != null)
{
objADEntry.Close();
objADEntry.Dispose();
objADEntry = null;
}
}
}
W
Willy Denoyette [MVP]
Mark Rae said:You'll have to use P/Invoke for this, of course
System.DirectoryServices will do all of this, and much more, for you without recourse to
p/invoke...
using System;
using System.Collections.Generic;
using System.DirectoryServices;
public static List<string> GetGroupsForUser(string pstrUser)
{
/// <summary>
/// Gets the groups a user is a member of
/// </summary>
/// <param name="pstrGroup">ActiveDirectory group to evaluate</param>
/// <returns>List<string> of groups for pstrUser</returns>
DirectorySearcher objDS = null;
SearchResult objSR = null;
DirectoryEntry objUser = null;
List<string> lstGroups = new List<string>();
try
{
objDS = new DirectorySearcher("objectCategory=User");
objDS.Filter = "(SAMAccountName=" + pstrUser + ")";
objSR = objDS.FindOne();
objUser = new DirectoryEntry(objSR.Path);
PropertyCollection colProperties = objUser.Properties;
PropertyValueCollection colPropertyValues = colProperties["memberOf"];
foreach (string strGroup in colPropertyValues)
{
lstGroups.Add(GetSAMAccountName(strGroup).ToLower());
}
return lstGroups;
}
catch (Exception)
{
throw;
}
finally
{
if (objUser != null)
{
objUser.Close();
objUser.Dispose();
objUser = null;
}
if (objSR != null)
{
objSR = null;
}
if (objDS != null)
{
objDS.Dispose();
objDS = null;
}
}
}
public static string GetSAMAccountName(string pstrPath)
{
/// <summary>
/// Gets a SAM Account Name from a given LDAP path
/// </summary>
/// <param name="pstrPath">LDAP path to bind to</param>
DirectoryEntry objADEntry = null;
try
{
objADEntry = new DirectoryEntry("LDAP://" + pstrPath);
return objADEntry.Properties["SAMAccountName"].Value.ToString();
}
catch (System.Runtime.InteropServices.COMException)
{
return String.Empty;
}
catch (System.NullReferenceException)
{
return String.Empty;
}
catch (Exception)
{
throw;
}
finally
{
if (objADEntry != null)
{
objADEntry.Close();
objADEntry.Dispose();
objADEntry = null;
}
}
}
Just a few remarks:
You may simplify your code and make it easier to read and maintain by applying the *using*
idiom, this way, you get rid of the Dispose, Close and completely redundant "obj = null"
calls.
Your code will only work when the caller is running in his domain account, when this is not
the case, you need to bind explicitly against the Domain or the DC, and preferably using
FastBind for performance reasons. You may also bind to the GC (the Global Catalog) using
GC://... in order to speed-up the queries.
Another point to consider is that the binding user must have "query" privileges to all of
the objects you query, normally all domain member do have this privilege, but highly secured
AD's may restrict access to some objects to special accounts only. So it's possible that a
user can bind to his user object, but not to (some) of the related objects.
You should also try to reuse the already established DirectoryEntry object for further
operations against the AD, the way you do forces adsi to rebind and this can be a costly
operation especially on slow connections and uses a lot more resources at the LDAP server.
The following code snip shows how to take advantage of a single bind by using the
GetDirectorEntry() for each successive object retrieval.
public static List<string> GetGroupsForUser(string userAccount)
{
string rootPath = "LDAP://{0}/DC=xxx,DC=yyy,DC=zzz";
string accountDomain = "domain"; // domain name or dc name or empty when binding to
logon domain
string userAccount = userAccount
rootPath = String.Format(
rootPath
, accountDomain);
string authUser = "xxx\yyyyy"; // account used to bind, here hardcoded, not
production safe!
string authPassword = "PASSWORD"; // his password, here hardcoded, not production
safe!
List<string> lstGroups = new List<string>();
using (DirectoryEntry root = new DirectoryEntry(rootPath, authUser, authPassword,
AuthenticationTypes.FastBind))
{
using (DirectorySearcher ds = new DirectorySearcher(root))
{
SearchResult sr = null;
ds.Filter = "(SAMAccountName=" + userAccount + ")";
sr = ds.FindOne();
using (DirectoryEntry user = sr.GetDirectoryEntry())
{
PropertyCollection pcoll = user.Properties;
PropertyValueCollection memberOf = pcoll["memberOf"];
foreach (string cnGroup in memberOf)
{
ds.Filter = cnGroup.Substring(0, cnGroup.IndexOf(','));
sr = ds.FindOne();
using (DirectoryEntry group = sr.GetDirectoryEntry())
{
lstGroups.Add(group.Properties["SAMAccountName"].Value.ToString());
}
}
}
}
}
return lstGroups;
}
....
Willy.
M
Mark Rae
It's not actually my code - I just found it on the web with a simple Google
search...
D
Dave Sexton
Hi Mark,
Good stuff, but correct me if I'm wrong here. That won't get the local
groups so the user will still have to use my method anyway.
--
Dave Sexton
Good stuff, but correct me if I'm wrong here. That won't get the local
groups so the user will still have to use my method anyway.
--
Dave Sexton
Mark Rae said:You'll have to use P/Invoke for this, of course
System.DirectoryServices will do all of this, and much more, for you
without recourse to p/invoke...
using System;
using System.Collections.Generic;
using System.DirectoryServices;
public static List<string> GetGroupsForUser(string pstrUser)
{
/// <summary>
/// Gets the groups a user is a member of
/// </summary>
/// <param name="pstrGroup">ActiveDirectory group to evaluate</param>
/// <returns>List<string> of groups for pstrUser</returns>
DirectorySearcher objDS = null;
SearchResult objSR = null;
DirectoryEntry objUser = null;
List<string> lstGroups = new List<string>();
try
{
objDS = new DirectorySearcher("objectCategory=User");
objDS.Filter = "(SAMAccountName=" + pstrUser + ")";
objSR = objDS.FindOne();
objUser = new DirectoryEntry(objSR.Path);
PropertyCollection colProperties = objUser.Properties;
PropertyValueCollection colPropertyValues = colProperties["memberOf"];
foreach (string strGroup in colPropertyValues)
{
lstGroups.Add(GetSAMAccountName(strGroup).ToLower());
}
return lstGroups;
}
catch (Exception)
{
throw;
}
finally
{
if (objUser != null)
{
objUser.Close();
objUser.Dispose();
objUser = null;
}
if (objSR != null)
{
objSR = null;
}
if (objDS != null)
{
objDS.Dispose();
objDS = null;
}
}
}
public static string GetSAMAccountName(string pstrPath)
{
/// <summary>
/// Gets a SAM Account Name from a given LDAP path
/// </summary>
/// <param name="pstrPath">LDAP path to bind to</param>
DirectoryEntry objADEntry = null;
try
{
objADEntry = new DirectoryEntry("LDAP://" + pstrPath);
return objADEntry.Properties["SAMAccountName"].Value.ToString();
}
catch (System.Runtime.InteropServices.COMException)
{
return String.Empty;
}
catch (System.NullReferenceException)
{
return String.Empty;
}
catch (Exception)
{
throw;
}
finally
{
if (objADEntry != null)
{
objADEntry.Close();
objADEntry.Dispose();
objADEntry = null;
}
}
}
M
Mark Rae
No it won't, but it can with a fairly trivial modification:
http://www.experts-exchange.com/Programming/Programming_Languages/Dot_Net/Q_20658471.html
D
Dave Sexton
Hi Mark,
That's great
--
Dave Sexton
That's great
--
Dave Sexton
Mark Rae said:
M
Mark Rae
That's great
By the way, if you do intend to use the code I found, be sure to follow
Willy's recommended modifications...
W
Willy Denoyette [MVP]
Dave Sexton said:
No, you can use the WinNT provider to connect to the local SAM, like this:
private static List<string> AccountGroups(string userAccount)
{
List<string> lstGroups = new List<string>(10);
string adsPath = "WinNT://<domain>/<machine>"; // or WinNT://<machine > if not a
domain member.
using (DirectoryEntry groupEntry = new DirectoryEntry(adsPath +",computer"))
{
IADsContainer cont = groupEntry.NativeObject as IADsContainer;
object[] filter = {"Group"};
cont.Filter = filter;
foreach (IADsGroup group in cont) {
if(group.IsMember(adsPath + "/" + userAccount))
lstGroups.Add(group.Name);
}
}
return lstGroups;
}
the problem here is that you need to set a reference to activeds.tlb. Also note that the
above sample does not account for nested groups!!
Note that you can also use WindowsIdentity.Groups, the problem here is that you also get the
pseudo accounts returned.
A better solution is to use System.Management (and WMI classes "Win32_UserAccount" and
"Win32_Group") to check local account and group membership.
Willy.
D
Dave Sexton
Hi Willy,
Thanks for the info.
--
Dave Sexton
Thanks for the info.
--
Dave Sexton
Willy Denoyette said: