How to set up access for users in Active Directory group

Question

I have a web application using Windows Authentication in C# and currently I assign users to roles individually.

e.g. At each page of the application, I check

if(Roles.IsUserInRole(AU\UserName, "PageAccessRole"))

As I need to roll out the application to the whole team this week (and eventually the whole company), I need to user AD groups as there are over 3000 ppl so I am not about to do it manually!

As a newbie to ASP.NET (and programming in general) and I really don't know much about setting up AD groups (e.g. how do I get access to the AD groups from my application etc?)

I would be soooo grateful if anyone can point me in the right direction...I've been reading up all about LDAP and System.DirectoryServices.AccountManagement etc but I am just getting all the more confused.

So far, I have this in my web.config

  <authentication mode="Windows">
  </authentication>
  <authorization> 
              <allow roles="AU\Active Directory Group Name"/>
    <deny users="?"/>
  </authorization>

  <roleManager enabled="true" >
    <providers>
    <clear/>
    <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
      </providers>

And I've enabled Windows Authentication and disabled Anonymous in the IIS Server.

Please please help!!

I suspect this thread (http://stackoverflow.com/questions/2188954/see-if-user-is-part-of-active-directory-group-in-c-sharp-asp-net) would be useful but I don't know how to incorporate the codes into my application... — viv_acious, Sep 17 '12 at 05:58
No, i want to use the company's existing Active Directory group! — viv_acious, Sep 17 '12 at 22:59
I don't want to manually add thousands of ppl into a group etc. — viv_acious, Sep 17 '12 at 23:00
What I can show you here is to add bunch of Users using Foreach Loop to the Active Directory Group.If you want the same let me know I can show you here an example. — RL89, Sep 18 '12 at 07:37
I don't want to manually add users as we have thousands though. I want to use the comapny's existing set up of AD group. Hmmm any idea how to get that done? — viv_acious, Sep 19 '12 at 08:23
ok Sure.Don't worry,I'll give you a working solution. Tell me one thing Is there only a single group you want to add it to the users or multiple groups.Second, from where you are getting this group, Is it from AD or you have the value in variable. — RL89, Sep 19 '12 at 08:32
thank you SOOOOO much for all your help...i've finally figured out how to do it ;) took me a while to get the DirectoryEntry working though! — viv_acious, Sep 24 '12 at 02:21

score 1 · Accepted Answer · edited Feb 05 '17 at 06:51

Solutions:-

This is how you can Fetch Groups from an OU in AD

DataTable dt = new DataTable();
dt.Columns.Add("groups");
DirectoryEntry rootDSE = null;

Suppose I want to fetch records from my Department OU. Now the Path would be like that

Department-->>Users

and dc here is Domain Controller name, In my case it was Corp.Local
In this way you can fetch groups from your AD

if (department != "")
{
   rootDSE = new DirectoryEntry(
     "LDAP://OU=" + department + ",OU=Users,dc=corp,dc=local", username, password);
}
else
{
   rootDSE = new DirectoryEntry(
      "LDAP://OU=Users,OU=" + ou + ",dc=corp,dc=local", username, password);
}
DirectorySearcher ouSearch = new DirectorySearcher(rootDSE);
ouSearch.PageSize = 1001;
ouSearch.Filter = "(objectClass=group)";
ouSearch.SearchScope = SearchScope.Subtree;
ouSearch.PropertiesToLoad.Add("name");
SearchResultCollection allOUS = ouSearch.FindAll();
foreach (SearchResult oneResult in allOUS)
{
    dt.Rows.Add(oneResult.Properties["name"][0].ToString());
}
rootDSE.Dispose();
return dt;

Now how to add Users to the groups.

It is an example for a single user, you can do this in similar way by Looping the Users.

 PrincipalContext pr = new PrincipalContext(ContextType.Domain,
     "corp.local", "dc=corp,dc=local", username, password);
GroupPrincipal group = GroupPrincipal.FindByIdentity(pr, groupName);//Looking for the Group in AD Server

if (group == null)
  {
     //Throw Exception
  }

UserPrincipal user = UserPrincipal.FindByIdentity(pr, userName);//Looking  for the User in AD Server

if (user.IsMemberOf(group))//If Group is already added to the user
   {
       //I have Put it into If else condition because in case you want to Remove Groups from that User you can write your Logic here.

     //Do Nothing, Because the group is already added to the user
   }
 else// Group not found in the Current user,Add it
   {
      if (user != null & group != null)
       {
         group.Members.Add(user);
         group.Save();
         done = user.IsMemberOf(group);//You can confirm it from here
        }
   }
     pr.Dispose();
     return done;

another question if you could help me with! i've only used the first part of your code (i.e. checking if logged in user part of a specific AD group). Now, if user IS part of that AD group, I want to allow them to have certain security rights on the application. I've created a dummy user assigned with roles I want everyone part of AD group to have. How do I allow the user to "inherit" the security rights from dummy user? — viv_acious, Sep 24 '12 at 02:42
basically, I just want those part of the AD group to have certain security rights (instead of adding each user to individual security rights). — viv_acious, Sep 24 '12 at 02:43
I've just realised I should've been using System.Web.Security.WindowsTokenRoleProvider and System.Web.Security.ActiveDirectoryMembershipProvider in the web.config file all along (instead of the codes above)! — viv_acious, Sep 24 '12 at 05:15
Thanks for all your help...if you could help also with my new question from http://stackoverflow.com/questions/12559457/how-to-create-admin-roles-in-active-directory-and-restrict-pages-in-my-applicati would be much appreciated too! — viv_acious, Sep 24 '12 at 06:31

How to set up access for users in Active Directory group

1 Answers1

Linked