0

I am trying to write a web service in C# that takes a username and AD group name, and returns true or false as a result. Right now I'm doing something to the effect of this.

public static Boolean CheckGroupForUser(String username, String groupname) {

        Boolean Success = false;

        try
        {
            using (PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain))
            using (UserPrincipal user = UserPrincipal.FindByIdentity(oPrincipalContext, username))
            using (GroupPrincipal gp = GroupPrincipal.FindByIdentity(oPrincipalContext, groupname))
            {
                Success = user.IsMemberOf(gp);
            } 
        }
        catch (Exception)
        {
            Success = false;
        }
        return Success;
    }

This works fine. Returns true if the user is in the group, returns false if they are not. The problem is this.

Lets say I have an AD Group called TestGroup. TestGroup has 1 user named Bob in it.

CheckGroupForUser("Bob","TestGroup"); //true

Lets say user Bob is also in the AD Group OtherGroup. So I take Bob out of TestGroup, but add OtherGroup to TestGroup. So now technically Bob is in TestGroup, but not directly.

CheckGroupForUser("Bob","TestGroup"); //false

This is where I need help. I need this scenario to be true. Catch my drift? Any suggestions?

hvchris
  • 86
  • 1
  • 8

1 Answers1

1

If you use System.DirectoryServices you can do this by using the rule LDAP_MATCHING_RULE_IN_CHAIN in your search.

Basically you use a filter like:

(member:1.2.840.113556.1.4.1941:=userDN)

where userDN is the distinguished name of the user you're interested in.

Joe
  • 122,218
  • 32
  • 205
  • 338
  • forgive my ignorance, but in this instance does '1.2.840.113556.1.4.1941' represent some unique identifier like an employee number or something? EDIT: I read the link you provided and realized this is an OID – hvchris Feb 03 '14 at 15:21