Re: WindowsPrincipal.IsInRole not working

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 09/25/03 

Date: Thu, 25 Sep 2003 11:37:24 -0500

That is an Active Directory question, but you should be able to change the
type of the group unless it contains members that they current group cannot
contain or if it is nested in another group that cannot contain a group of
the new type. The Active Directory reference in MSDN explains all of this.

I actually don't understand why domain local groups don't get pulled into
your token, but there are lots of things about AD that I still find
confusing too.

Reflection is cool, isn't it? :)

Good luck,

Joe K.
"K. Shier" <ks4hire@spamAtYourOwnRisk.yahoo.com> wrote in message
news:%23VsuHp3gDHA.3616@TK2MSFTNGP11.phx.gbl...
> thanks Joe! i just checked that out and it looks like it is going to
work.
>
> i appreciate the code snippet as i wouldn't even have known where to
begin!
> (until a couple minutes ago, my definition of 'reflection' was sitting at
my
> desk resting my chin on my hands thinking "I sure am screwed..."!)
>
> for some reason the network admin told me to create the security groups as
> 'Domain Local' instead of 'Global'. but only groups that are Global show
up
> in WindowsIdentity's _GetRoles method. i don't understand why, but that's
> only because i have no idea what the distinction is between a 'Global' and
> 'Domain Local' group! (i have very limited experience administrating
Win2k
> nets.)
>
> FYI: i _am_ on framework 1.0, and it did occur to me briefly that
> case-sensitivity might be the issue, but since the capitalization is
correct
> in my strings, i didn't give it any further thought. if i had known
earlier
> about the bug, i probably would have dwelled on capitaliztion forever,
> thinking _that_ was the problem! =)
>
> now i just need to know if there is any way to reset the scope of the
> security groups i've created to 'Global' or will i have to delete then
> re-create them all? but i think that's a topic for another NG...
>
> THANKS AGAIN! =)
>
> --------------
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:uRRZz3wgDHA.524@tk2msftngp13.phx.gbl...
> > A couple of things:
> >
> > WindowsPrincipal definitely matches group names with "domain\group name"
> > where domain is either the domain or local machine name and group name
is
> > the samAccountName of the group. A bug in Framework 1.0 exists where
role
> > name checks are case sensitive for WindowsPrincipal.IsInRole. This is
> fixed
> > in 1.1, but it may be screwing you up.
> >
> > When I've been in a jam with these things, I've used reflection to call
> the
> > private _GetRoles method of WindowsIdentity so that I can see the actual
> > array of role names. You shouldn't use this in production, but it is
> really
> > helpful for debugging.
> >
> > (VB.NET code snippet)
> >
> > Dim id As WindowsIdentity = WindowsIdentity.GetCurrent()
> >
> > Dim idType As Type
> > idType = GetType(WindowsIdentity)
> > Dim result As Object = idType.InvokeMember("_GetRoles",
> > BindingFlags.Static Or BindingFlags.InvokeMethod Or
> BindingFlags.NonPublic,
> > Nothing, id, New Object() {id.Token}, Nothing)
> > Dim roles() As String = DirectCast(result, String())
> >
> > HTH,
> >
> > Joe K.
> >
> >
> >
> > "K. Shier" <ks4hire@spamAtYourOwnRisk.yahoo.com> wrote in message
> > news:uRTm7AugDHA.1648@TK2MSFTNGP09.phx.gbl...
> > > VB.Net 2002, developing under Win2k pro, server is running Win2k
server
> > >
> > > i am trying to put some role-based security into my application. the
> > roles
> > > are based on permission Groups which i've already created on the
domain
> > > controller. according to what i've read on the subject, a
> > WindowsPrincipal
> > > should provide a direct mechanism to determine if the user is a member
> of
> > > one of these Groups or not, but i can't get it to work.
> > >
> > >
> > > here's a simplified excerpt from my prog:
> > >
> > > Public Sub SomeSecuredFeature()
> > > Dim MyIdentity As System.Security.Principal.WindowsIdentity =
> > > System.Security.Principal.WindowsIdentity.GetCurrent
> > > Dim MyPrincipal As New
> > > System.Security.Principal.WindowsPrincipal(MyIdentity)
> > >
> > > If MyPrincipal.IsInRole("DRS\DRS Administrators") Then
> > > 'allow the user do something
> > > Else
> > > 'disallow
> > > End If
> > > End Sub
> > >
> > > problem is, i can never get a True result for .IsInRole.
> > >
> > > the Group name is 'DRS Administrators' and according to AD Users And
> > > Computers, i am a member of it!. the domain name is 'DRS', & the DC's
> > > machine name is 'DRSSERVER'
> > >
> > > i have tried a ludicrous number of permutations of what i *THINK* the
> name
> > > of the group might be: e.g. "DRS Administrators" (no machine/domain
> > > qualifier) "DRSSERVER\DRS Administrators" (machine name instead of
> domain
> > > name), "\\DRS\DRS Administrators" (leading backslashes?!), and even
> > > "drsserver.local/Users/DRS Administrators" (full AD object name). i
> have
> > > even tried matching the System groups like Administrators (which i am
> also
> > a
> > > member of) and never get a match!
> > >
> > > seriously - i've tried every combination of these various formats for
> > > writing the group/role string, but no success...
> > >
> > >
> > > what am i missing here?
> > >
> > > is there NOT a direct correlation between a DC's Groups and a .Net
> > > WindowsPrincipal's 'Roles'? if not, how do i define the relationship
> > > between them?
> > >
> > > also, is there some method in .Net to simply query the DC and get a
list
> > of
> > > all the Groups?
> > >
> > >
> > > any insight would be much appreciated! THANKS! =)
> > >
> > >
> >
> >
>
>
>
>
>
>

Relevant Pages

  • Re: WindowsPrincipal.IsInRole not working
    ... The Active Directory reference in MSDN explains all of this. ... Joe K. ... > for some reason the network admin told me to create the security groups as ... > about the bug, i probably would have dwelled on capitaliztion forever, ...
    (microsoft.public.dotnet.security)
  • Re: Unlock acct permissions
    ... > "Active Directory Design and Deployment" ... > and which Joe referenced. ... >> These are some of the best books out there right now for AD Admin level ... How do I get DSACLS to run on a specific account? ...
    (microsoft.public.win2000.active_directory)
  • Re: Active Directory vs SqlServer which way to go?
    ... Thx Joe for the response. ... Joe i know its like re inventing the wheel. ... is that even if you use SQL server you would have to right stored procedures ... >> GROUPS in Active Directory ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Unlock acct permissions
    ... "Active Directory Design and Deployment" ... and which Joe referenced. ... >>>Overall you appear to be a very "green" admin and you should buy one or more>>>books and learn this stuff before you do too much more. ... How do I get DSACLS to run on a specific account? ...
    (microsoft.public.win2000.active_directory)
  • Re: Difference between MYbusiness users and Users
    ... Active Directory days, calling them what they in fact are, is not. ... You find a folder for MYBusiness users. ... I need to set up security groups and I am confused. ... and also to assign group policy objects. ...
    (microsoft.public.windows.server.sbs)