Check IsInRole against AD

Question

I recently tried to work with WindowsPrincipal but I am getting really confused. I use this code snippet:

WindowsPrincipal principal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
MessageBox.Show(Thread.CurrentPrincipal.IsInRole("MyDomain\\Users").ToString());

It returns True so it's OK. But I thought that this "IsInRole" check works against Active Directory. But when I unplug the network cable it still returns true. How come? Is there any easy way to check whether logged user is in specific domain against AD?

Answer 1

your code is fine, Windows is a bit smarter than what we think and is caching the user group membership even when you disconnect the network cable, in fact if you are in a AD domain you can also unplug the cable and still log-in because everything is cached locally.

If you want to check really how it works try to unplug the cable, check for another group membership while disconnected and it will be false, then add your user to another group on the server and this check will pass only after you connect your machine to the network again and do a log-off / log-in.

Answer 2

Active Directory credentials can be cached on the local system, including role membership (to support Group Policy enforcement). You can turn off the credential cache as described in the MSDN KB Cached Domain Logon Information, but I'm not sure that will clear the cache. While I cannot confirm (as I'm not currently on a system with cached credentials), I believe they are stored as hashes under the registry key HKEY_LOCAL_MACHINE\SECURITY\CACHE\ in values labeled "NLx" where x is an integer.