Get Users Group Membership

[-Steve-]

I need to check and see if the user running a c# app is a member of a
certain group.

I'm querying active directory, finding the user, and going through their
list of groups. The problem I have is that if the user is a member of
group1, and group1 is a member of group2, I won't find out that the user is
a member of group2. Basically it's not handling nested groups.

So I have the option of drilling down into groups but it seems like there
should be a better way.

 

[Marc Scheuner [MVP ADSI]]

I need to check and see if the user running a c# app is a member of a

certain group.
I'm querying active directory, finding the user, and going through their
list of groups. The problem I have is that if the user is a member of
group1, and group1 is a member of group2, I won't find out that the user is
a member of group2. Basically it's not handling nested groups.
So I have the option of drilling down into groups but it seems like there
should be a better way.

Yes, there is - a bit involved, though. There's an AD attribute called
"tokenGroups", which you can query, which also includes nested group
memberships.

The tricky parts are:

1) This is not a "static" attribute, e.g. you have to specifically
refresh your cache for that attribute to appear:

YourUserEntry.RefreshCache(new string[] { "tokenGroups" } );

2) It's a list of group SID's, e.g. given a certain group you want to
check for, you first need to grab it's SID and then compare the list
of "tokenGroups" SIDs to that group SID.

Fellow MVP Ryan Dunn has a nice blog post and some sample code showing
how to enumerate tokenGroups for a user account:

http://dunnry.com/blog/EnumeratingTokenGroupsTokenGroupsInNET.aspx

Marc

================================================================
Marc Scheuner May The Source Be With You!
Berne, Switzerland m.scheuner -at- inova.ch