Searching an AD security group




When a user visits my site (ASP.NET + VB.NET), I need to know if they are in
a particular AD security group in order to display the pertinant information.

When I call UserLookup in code below it works well at returning whether the
user is directly a member of the group. However, if they are contained inside
of an inherited security group, it returns false because it will not search

I thought this would be simple to find information on, but apparently I
thought wrong.

Any help would be appreciated.

in the constructor.

Public Function ReturnUsers()
Dim strDirEntryPath As String
strDirEntryPath = "WinNT://" & DomainNameValue & "/" &
ServerNameValue & "/" & GroupNameValue & ",group"
Dim users As Object

Dim group As New DirectoryEntry(strDirEntryPath)
users = group.Invoke("members")

Dim user1 As Object
Dim UsersCollection As New Collection

For Each user1 In CType(users, IEnumerable)
Dim userEntry As New
Catch e1 As Exception
Return e1
Exit Function
End Try

Return UsersCollection
End Function

'returns true/false if a person is in an AD security group or not
Public Function UserLookup(ByVal user As String)

Dim i As Integer
Dim UsersCollection As New Collection
Dim Match As Boolean = False

Match = CheckUser()

UsersCollection = Me.ReturnUsers

For i = 1 To UsersCollection.Count
If UsersCollection.Item(i) = user Then
Match = True
Return Match
End If

End Function


Thanks for your reply Peter,

The code you pointed me to returns the groups that a given member belongs
to. This is somewhat opposite of what I am looking for. I need to be able
to search the members of a group to look for a logged on person. The problem
is inherited groups. The user may belong to a group (gp1) that in turn
belongs to another group (gp2). GP2 does not show as a group that the user
belongs to.

I need to start with GP2, evaluate its members, if one of its members is yet
another security group, then evaluate the members of this group (GP1) and so
on until I either find the user, or run out of paths to dig into.

This is the same process the OS is doing each time I try to open a file,
that is why I firgured this would be well documented.

Peter Huang [MSFT]


Here is a link about how to use DirectoryService to list the members of
certain group.(NOTE: it use WINNT, but the LDAP will use the similar
approach except the path string is different).
You may take a look.

If you still have any concern, please feel free to post here.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! -
This posting is provided "AS IS" with no warranties, and confers no rights.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question