1

I'm really new to C# so forgive my ignorance. I need to test if a user (DOMAIN\username) is in a particular group, and yes, this includes nested groups.

I have found that WindowsPrincipal.IsInRole() works fantastic, when dealing with the current logged-in user. That isn't the case for me though. I need to be able to pass in an arbitrary DOMAIN\username or UPN (I'll do whichever is easiest to implement), and get back true/false if they are a member of group X, even if they are only indirect members of group X (e.g: user is member of group Y, and group Y is member of group X).

I've looked at WindowsIdentity, and maybe it's being new to C#, but I just didn't see a way to do something like WindowsIdentity("MYDOMAIN\User1"). Well, I did, but never got anywhere close to getting it to work.

Using C#, given a DOMAIN\username, which will not be the current logged-in user, how can I determine if they are a member of DOMAIN\group ?

Kelsey
  • 47,246
  • 16
  • 124
  • 162
Alan M
  • 321
  • 1
  • 3
  • 14

4 Answers4

0

You can use LDAP query for that. Here is a good article

Howto: (Almost) Everything In Active Directory via C#

oleksii
  • 35,458
  • 16
  • 93
  • 163
  • Thank you for that link. While it didn't get me the solution I was hoping for, it does contain a ton of other useful bits. – Alan M Sep 13 '11 at 19:30
0

Here is an function I have use that works and you should be able to use it as is almost. You will probably have to create ParseUserDomain but that is pretty straight forward:

/// <summary>
/// Checks if a user in is a active directory group.
/// <summary>
/// <param name="username">Can contain the domain and username or just username
///    (eg. domain\username or username).  If no domain is specified, the default
///    domain is used.</param>
/// <param name="group">Active directory group to check.  Group name only.  No
///    leading domain as the domain from the user is used.</param>
/// <returns></returns>
public bool UserIsInActiveDirectoryGroup(string username, string group)
{
    bool isInGroup = false;
    string user = "";
    string domain = "";
    // Parses off domain and user to seperate values
    ParseUserDomain(username, out domain, out user);   

    if (string.IsNullOrEmpty(user) ||
        string.IsNullOrEmpty(domain) ||
        string.IsNullOrEmpty(group))
    {
        return false;
    }

    using (PrincipalContext ADContext = new PrincipalContext(ContextType.Domain,
        domain))
    {
        using (GroupPrincipal principalGroup = 
            GroupPrincipal.FindByIdentity(ADContext, group))
        {
            if (principalGroup != null)
            {
                using (UserPrincipal ADPrincipalUser = 
                    UserPrincipal.FindByIdentity(ADContext, user))
                {
                    // True means deep search
                    var users = principalGroup.GetMembers(true);
                    isInGroup = users.Contains(ADPrincipalUser);
                }
            }
        }
    }
    return isInGroup;
}
Kelsey
  • 47,246
  • 16
  • 124
  • 162
  • Kelsey: I tried tinkering with your script, but it will not compile, complains when it hits users.Contains(). Says `Error 5 'System.DirectoryServices.AccountManagement.PrincipalSearchResult' does not contain a definition for 'Contains' and no extension method 'Contains' accepting a first argument of type 'System.DirectoryServices.AccountManagement.PrincipalSearchResult' could be found (are you missing a using directive or an assembly reference?)`. – Alan M Sep 13 '11 at 00:13
  • @Alan M What version of C# are you using? Do you have the following `using` statement defined: `using System.Linq;`? – Kelsey Sep 13 '11 at 15:16
  • I tried .NET Framework 2.0, 3.5, and to 4.0. This is in Visual Studio 2010. I have not included System.Linq. I'll tie that in there and give it a shot. – Alan M Sep 13 '11 at 16:54
  • @Alan M in the example I posted I was using .NET 4.0 and Linq. – Kelsey Sep 13 '11 at 17:26
0

I answered with a recursive query in a similary entry in Stack Overflow called Find Recursive Group Membership (Active Directory) using C#. Changing the code I gave there can allow you to do what you want.

Community
  • 1
  • 1
JPBlanc
  • 70,406
  • 17
  • 130
  • 175
0

Answer to own question: I tried the solutions presented, and wasn't to get them to work. Note, I'm 100% sure this is due to my inexperience with C#, and not anything to do with what the commenters posted. Love and thanks to all the commenters who helped out.

What did work for me is this: http://ddkonline.blogspot.com/2010/05/how-to-recursively-get-group-membership.html

I did have to do some basic tweaks to make the above solution fit my situation (change the LDAP params, for example), but it basically worked. Returns true if member-of-group, false otherwise. I hope this saves future searchers some hair, as I've already lost a handfull. Thanks again to all who posted help.

Alan M
  • 321
  • 1
  • 3
  • 14
  • Sorry but the "special query syntax provided by Microsoft LDAP in the Directory Searcher Filter to recursively get a list of all groups that the user is directly AND indirectly a member of" discribed in you article is the same as the one used in the sample I gave in [Find Recursive Group Membership (Active Directory) using C#.](http://stackoverflow.com/questions/6252819/find-recursive-group-membership-active-directory-using-c) – JPBlanc Sep 13 '11 at 20:21
  • I'll chalk that up to my inexperience with C#. For whatever reason I was able to get it to work. – Alan M Sep 16 '11 at 16:18