Find if user belongs to group

Question

I want to find if the user belongs to an AD group. Can you advise how I can add that functionality using the following code?

I ask the user to enter their username and password (through a form), so not using the windows credentials. With the below code I am able to validate the user, by passing the username, and password. How can I build on the code to check if user exists in the AD Group. Is there another way to do this? Please advice

DirectoryEntry adsEntry = new DirectoryEntry("domain", userid, password); 
DirectorySearcher adsSearcher = new DirectorySearcher(adsEntry); 
try   {   
    SearchResult adsSearchResult = adsSearcher.FindOne();
    context.Session.Timeout = 2;
    context.Session["ValidatedLoginID"] = userid;
    user.Verified = true;
    adsEntry.Close();  
} catch ( Exception ex )  {   
    // Failed to authenticate. Most likely it is caused by unknown user   
    // id or bad strPassword.   
    user.error = ex.Message;   
    adsEntry.Close();  
}

Possible duplicate of [How to check if a user belongs to an AD group?](https://stackoverflow.com/questions/12029378/how-to-check-if-a-user-belongs-to-an-ad-group) — freedomn-m, Nov 09 '18 at 15:20
I talked a bit about that in an article I wrote here: https://www.gabescode.com/active-directory/2018/09/13/one-user-is-member-of-a-group.html — Gabriel Luci, Nov 09 '18 at 15:27
Thanks Gabriel, Sorry I just updated my question. User fills a form to enter credentials. so I cant use the windows authenication method. I will need to use a different way if you know what I mean — edcoder, Nov 09 '18 at 15:40
That's fine. My article discussed doing the same with `DirectoryEntry`. But you will have to search for their user account first. There are lots of examples online of finding a user by username with `DirectorySearcher`. — Gabriel Luci, Nov 09 '18 at 16:00
Thank You Gabriel..will update how I go about it. Your articles are really good. — edcoder, Nov 10 '18 at 08:56

score 1 · Answer 1 · answered Nov 09 '18 at 14:25

1

You can use the below code:

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "DOMAINNAME");

// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");

 // find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");

if(user != null)
{
   // check if user is member of that group
   if (user.IsMemberOf(group))
   {
     // do something.....
   } 
}

Also look at: How to check if a user belongs to an AD group?

answered Nov 09 '18 at 14:25

aman

4,198
4
24
36

Hi Aman, thank you so much, but I need to validate the users password. I dont want to allow them to do something if password does not match. Can you advice how I can do that? – edcoder Nov 09 '18 at 14:36
@edcoder In your post you had mentioned that you were able to authenticate user and need to check if user belongs to the group. Thats why I shared above code. You might need to update your post and correct this. You would also need to provide details against what do you want your user to authenticate. Do you have some database or if its a windows login etc. – aman Nov 09 '18 at 14:43
@edcoder your post clearly states that you want to check if the user is in an AD group. There is no mention of checking passwords. Please ask a new question. – freedomn-m Nov 09 '18 at 15:19
@aman did you just copy code from an existing answer? You should vote close as a duplicate, not copy someone else's work (even if you provided a link back). – freedomn-m Nov 09 '18 at 15:20
@freedomn-m how can I vote close as duplicate. Sorry havent done that before – aman Nov 09 '18 at 15:26
@aman, my code above does the authentication. If it fails it will tell me wrong username/password. thats why in my question I mentioned to build on that code. Below is what I am doing: I ask the user to enter username/password and then use the directoryservices to authenticate. Within that I would like to check for group as well. [Will update the question] – edcoder Nov 09 '18 at 15:37
1

With the code I posted above I believe you can do something like: PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "Company.com", "DC=SomeDC,DC=COM", username, Password); where you pass your username and password. Rest code remains same – aman Nov 09 '18 at 15:55

score 0 · Answer 2 · answered Nov 13 '18 at 14:54

Here is how I solved this :

            DirectoryEntry adsEntry = new DirectoryEntry("domain", userid, password);
            DirectorySearcher adsSearcher = new DirectorySearcher(adsEntry);
            adsSearcher.Filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName=" + userid + "))";

        try
        {
            SearchResult adsSearchResult = adsSearcher.FindOne();
            string propertyName = "memberOf";
            ResultPropertyValueCollection rpvcResult = adsSearchResult.Properties[propertyName];

            foreach (Object PropertyValue in rpvcResult)
            {
                if (PropertyValue.ToString() == "Group Name")
                {
                    user.Verified = true;
                    user.FullName = GetFullName(userid);
                    adsEntry.Close();
                } else
                {
                    user.Verified = false;
                    user.error = "You do not belong to the Group so you cannot do this function";
                }
            }

        } catch (Exception ex)
        {
            user.error = "Please check your username and password credentials";
            adsEntry.Close();
        }

Find if user belongs to group

2 Answers2