开发者

How do I find out if an arbitrary DOMAIN\username is in a specific role with C#?

开发者 https://www.devze.com 2023-04-04 04:13 出处:网络
I\'m really new to C# so forgive my ignorance. I need to test if a user (DOMAIN\\username) is in a particular group, and yes, this includes nested groups.

I'm really new to C# so forgive my ignorance. I need to test if a user (DOMAIN\username) is in a particular group, and yes, this includes nested groups.

I have found that WindowsPrincipal.IsInRole() works fantastic, when dealing with the current logged-in user. That isn't the case for me though. I need to be able to pass in an arbitrary DOMAIN\username or UPN (I'll do whichever is easiest to implement), and get back true/false if they are a member of group X, even if they are only indirect members of group X (e.g: user is member of group Y, and group Y is member of group X).

I've looked at WindowsIdentity, and maybe it's 开发者_C百科being new to C#, but I just didn't see a way to do something like WindowsIdentity("MYDOMAIN\User1"). Well, I did, but never got anywhere close to getting it to work.

Using C#, given a DOMAIN\username, which will not be the current logged-in user, how can I determine if they are a member of DOMAIN\group ?


You can use LDAP query for that. Here is a good article

Howto: (Almost) Everything In Active Directory via C#


Here is an function I have use that works and you should be able to use it as is almost. You will probably have to create ParseUserDomain but that is pretty straight forward:

/// <summary>
/// Checks if a user in is a active directory group.
/// <summary>
/// <param name="username">Can contain the domain and username or just username
///    (eg. domain\username or username).  If no domain is specified, the default
///    domain is used.</param>
/// <param name="group">Active directory group to check.  Group name only.  No
///    leading domain as the domain from the user is used.</param>
/// <returns></returns>
public bool UserIsInActiveDirectoryGroup(string username, string group)
{
    bool isInGroup = false;
    string user = "";
    string domain = "";
    // Parses off domain and user to seperate values
    ParseUserDomain(username, out domain, out user);   

    if (string.IsNullOrEmpty(user) ||
        string.IsNullOrEmpty(domain) ||
        string.IsNullOrEmpty(group))
    {
        return false;
    }

    using (PrincipalContext ADContext = new PrincipalContext(ContextType.Domain,
        domain))
    {
        using (GroupPrincipal principalGroup = 
            GroupPrincipal.FindByIdentity(ADContext, group))
        {
            if (principalGroup != null)
            {
                using (UserPrincipal ADPrincipalUser = 
                    UserPrincipal.FindByIdentity(ADContext, user))
                {
                    // True means deep search
                    var users = principalGroup.GetMembers(true);
                    isInGroup = users.Contains(ADPrincipalUser);
                }
            }
        }
    }
    return isInGroup;
}


I answered with a recursive query in a similary entry in Stack Overflow called Find Recursive Group Membership (Active Directory) using C#. Changing the code I gave there can allow you to do what you want.


Answer to own question: I tried the solutions presented, and wasn't to get them to work. Note, I'm 100% sure this is due to my inexperience with C#, and not anything to do with what the commenters posted. Love and thanks to all the commenters who helped out.

What did work for me is this: http://ddkonline.blogspot.com/2010/05/how-to-recursively-get-group-membership.html

I did have to do some basic tweaks to make the above solution fit my situation (change the LDAP params, for example), but it basically worked. Returns true if member-of-group, false otherwise. I hope this saves future searchers some hair, as I've already lost a handfull. Thanks again to all who posted help.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号