0

My role on the developer side. I have an application that I am trying check to see if a user has access to a share. In the application, I check the groups on that share. Then I check all the groups the user is in.

In one case, I not able to see the Local group that the users is in both code or the AD in windows For example:

Domain A\User1 > Domain A\Global Group > Do not see: Domain B\Local Group

But when I look from Domain B I see:

Share > Domain B\Local Group > Domain A\Global Group > Do not see Domain A\User1

Is there some security setting that is not set correctly since I dont see in the windows tool or code.

Update

I have tried the following code. I am still unable to to see Domain B\Local Group.

string account = "{User**Or**Group}";
string domain = "{Domain}";

string dn = ADHelper.GetDistinguishedName(domain, account);

using (var forest = Forest.GetCurrentForest())
{
          foreach (Domain domainName in forest.Domains)
          {
               Console.WriteLine(string.Format("Domain: {0}", domainName.Name));
        Console.WriteLine("========================================================");
              GetAllGroups(dn, domainName.Name);
              domainName.Dispose();
          }
      }

void GetAllGroups(string dn, string domain)
{

    DirectorySearcher ds = new DirectorySearcher(string.Format("GC://{0}", domain));
    ds.Filter = String.Format("(&(distinguishedName={0}))", dn);

    SearchResult sr = ds.FindOne();

    if (sr == null)
        return; 
    DirectoryEntry Diruser = sr.GetDirectoryEntry();
    Diruser.RefreshCache(new string[] { "tokenGroups" });

    for (int i = 0; i < Diruser.Properties["tokenGroups"].Count; i++)
    {
        SecurityIdentifier sid = new SecurityIdentifier((byte[])Diruser.Properties["tokenGroups"][i], 0);
        try
        {
            NTAccount nt = (NTAccount)sid.Translate(typeof(NTAccount));
            Console.WriteLine(nt.Value + "\t" + domain);
        }
        catch { }
    }

}
H20rider
  • 2,162
  • 5
  • 29
  • 47

1 Answers1

1

In order to retrieve all groups user belongs to you have to query one Global Catalog in each domain of the entire forest for the user's membership (user's tokenGroups attribute will return you nested groups as well), then remove duplicated groups.

Be aware that Active Directory cannot return more than 5K values of a single attribute in one query. If a user belongs to more than 10K groups, then AD will return you only first 5K. You have to use technique called range retrieval to query for membership in that case.

Also, there may be some external trusted domains that you also have to handle.

Other solution is to use GetEffectiveRightsFromAcl function to calculate effective user permissions for the specified share. The solution is described here

Note that you will need to pass SE_OBJECT_TYPE.SE_LMSHARE as and object type to the function.

Community
  • 1
  • 1
oldovets
  • 695
  • 4
  • 9
  • Thanks Dmitry. I will check this out. – H20rider Sep 20 '16 at 19:13
  • I was not able to find the groups the user was part of in the other domain. Any ideas how to do this? Btw the GetEffectiveRightsFromAcl will not work since I do need to show the path of how the users has permission to a share – H20rider Sep 21 '16 at 15:29
  • Just to be on the same page please confirm that you did the following: 1. Connect to GC from domain A. 2. Bind to a specified user from domain A. 3. Query it's tokenGroups attribute. 4. Connect to GC from domain B. 5. Bind to the same user from domain A on this GC. 6. Query for the tokenGroups attribute for this user on this GC – oldovets Sep 21 '16 at 21:00
  • And of course you have to merge membership from both GC's into a single one by removing duplicates. GC from domain A will return you local security groups which user belongs to in domain A and GC from domain B will return you user local security groups from domain B. – oldovets Sep 21 '16 at 23:31