How to check whether a user belongs to an AD group and nested groups?

Posted by elsharpo on Stack Overflow See other posts from Stack Overflow or by elsharpo
Published on 2010-04-21T02:34:47Z Indexed on 2010/04/21 2:43 UTC
Read the original article Hit count: 578

hi guys,

I have an ASP.NET 3.5 application using Windows Authentication and implementing our own RoleProvider.

Problem is we want to restrict access to a set of pages to a few thousand users and rathern than inputing all of those one by one we found out they belong to an AD group.

The answer is simple if the common group we are checking membership against the particular user is a direct member of it but the problem I'm having is that if the group is a member of another group and then subsequently member of another group then my code always returns false.

For example: Say we want to check whether User is a member of group E, but User is not a direct member of *E", she is a member of "A" which a member of "B" which indeed is a member of E, therefore User is a member of *E"

One of the solutions we have is very slow, although it gives the correct answer

using (var context = new PrincipalContext(ContextType.Domain))
  {
    using (var group = GroupPrincipal.FindByIdentity(context, IdentityType.Name, "DL-COOL-USERS"))
    {
      var users = group.GetMembers(true); // recursively enumerate

      return users.Any(a => a.Name == "userName");
    }
  }

The original solution and what I was trying to get to work, using .NET 3.5 System.DirectoryServices.AccountManagement and it does work when users are direct members of the group in question is as follows:

public bool IsUserInGroup(string userName, string groupName)
{
  var cxt = new PrincipalContext(ContextType.Domain, "DOMAIN");
  var user = UserPrincipal.FindByIdentity(cxt, IdentityType.SamAccountName, userName);

 if (user == null)
  {       
    return false;
  }


  var group = GroupPrincipal.FindByIdentity(cxt, groupName);

  if (group == null)
  {        
    return false;
  }

  return user.IsMemberOf(group);
}

The bottom line is, we need to check for membership even though the groups are nested in many levels down.

Thanks a lot!

© Stack Overflow or respective owner

Related posts about .NET

Related posts about active-directory