How can I retrieve all the roles (groups) a user is a member of?

Question

Is there a way to get a list of roles a Windows authenticated user is in, without explicitly checking by WindowsPrincipal.IsInRole method?

joshperry · Accepted Answer · 2016-11-23T23:35:18.350

51

WindowsPrincipal.IsInRole just checks if the user is a member of the group with that name; a Windows Group is a Role. You can get a list of the groups that a user is a member of from the WindowsIdentity.Groups property.

You can get WindowsIdentity from your WindowsPrincipal:

WindowsIdentity identity = WindowsPrincipal.Identity as WindowsIdentity;

or you can get it from a factory method on WindowsIdentity:

WindowsIdentity identity = WindowsIdentity.GetCurrent();

WindowsIdenity.Groups is a collection of IdentityReference which just gives you the SID of the group. If you need the group names you will need to translate the IdentityReference into an NTAccount and get the Value:

var groupNames = from id in identity.Groups
                 select id.Translate(typeof(NTAccount)).Value;

edited Nov 23 '16 at 23:35

answered Apr 17 '09 at 21:39

joshperry

41,167
16
88
103

2

I used `var identity = User.Identity as WindowsIdentity;` – Jaider Jan 20 '14 at 15:40
this method doesn't show new groups I created, why ? – martis martis May 22 '20 at 09:14
You have to logout and login back again.. this method only reads the security tokens. It does not query the DC again – user1034912 Jun 24 '20 at 02:15

score 9 · Answer 2 · answered Apr 17 '09 at 21:41

EDIT: Josh beat me to it! :)

Try this

using System;
using System.Security.Principal;

namespace ConsoleApplication5
{
    internal class Program
    {
        private static void Main(string[] args)
        {
            var identity = WindowsIdentity.GetCurrent();

            foreach (var groupId in identity.Groups)
            {
                var group = groupId.Translate(typeof (NTAccount));
                Console.WriteLine(group);
            }
        }
    }
}

score 7 · Answer 3 · edited Jun 06 '18 at 13:40

If you are not connected to the domain server, the Translate function may throw the following exception The trust relationship between this workstation and the primary domain failed.

But for most of the groups, it will be OK, so I use:

foreach(var s in WindowsIdentity.GetCurrent().Groups) {
    try {
        IdentityReference grp = s.Translate(typeof (NTAccount)); 
        groups.Add(grp.Value);
    }
    catch(Exception) {  }
}

score 1 · Answer 4 · answered Sep 15 '17 at 14:20

In an ASP.NET MVC site, you can do it like this:

Add this to your Web.config:

<system.web>
  ...
  <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
  ...
</system.web>

Then you can use Roles.GetRolesForUser() to get all the Windows groups that the user is a member of. Make sure you're using System.Web.Security.

How can I retrieve all the roles (groups) a user is a member of?

4 Answers4

Linked