Re: Getting the Groups a User belongs to ( in a service)

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 11/25/03 

Date: Tue, 25 Nov 2003 09:42:02 -0600

That makes a lot of sense if you already have the logon token. No sense
doing a lookup that the OS has already done for you.

I don't know if this helps you or not, but there is a cool .NET wrapper
assembly for Win32 security posted by a Microsoft employee in the samples
directory on GotDotNet that can save you a lot of time with the P/Invokes
(although it sounds like you might already be done).

Joe K.

"Adam Byrne" <a.byrne-iwantnospam@all-inpute.com> wrote in message
news:Op3ddJ1sDHA.2464@TK2MSFTNGP12.phx.gbl...
> Thanks Joe,
>
> I ended up not using ADSI at all. But your suggestion of getting the
> TokenGroups property led me in the right direction. Because I am using
SSPI
> explicitly, I can easily get a ClientSecurityToken which is the security
> token of the client user. Using this token and the GetTokenInformation
API
> I was able to get everything I needed - without using ADSI.
>
> -adam
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:%234TsV6rsDHA.1788@tk2msftngp13.phx.gbl...
> > Well, IF the machine is a domain member, then binding without
credentials
> > specified SHOULD work as the server's credentials should be picked up in
> > that case and you should get an authenticated bind. Trying to bind with
> > AuthenticationTypes.Secure specified might help with this.
> >
> > If that doesn't work, I suggest opening the user's object in AD by
binding
> > with specific credentials. If you specify a username and password, you
> will
> > definitely get an authenticated bind or a failure. At that point, you
> > should be able to read most attributes on the user.
> >
> > I also suggest you get the user's tokenGroups attribute as opposed to
> their
> > objectSID attribute. TokenGroups contains an array of the SIDs of the
> > security groups the user belongs to including nested groups and the
> primary
> > group. This is by far the fastest way to get all of the relevant SIDs.
> > ObjectSID will only get you the user's SID.
> >
> > Since tokenGroups is a constructed attribute, you may need to call the
> > overload of RefreshCache that allows you to specify specific attributes
to
> > retrieve.
> >
> > HTH,
> >
> > Joe K.
> >
> > "Adam Byrne" <a.byrne-iwantnospam@all-inpute.com> wrote in message
> > news:OqCSTfrsDHA.2248@TK2MSFTNGP09.phx.gbl...
> > > Hello,
> > >
> > > I need to be able to get the SIDs of a user and all the groups they
> belong
> > > to. This code would be running within a service. I am currently
using
> > the
> > > DirectoryServices namespace to successfully do this - but the service
> > needs
> > > to be logged on as a domain account for it to work. I would prefer to
> > have
> > > the service logged on as LocalSystem, but when I do this an exception
is
> > > generated when I try to access the objectSID property of the
> > DirectoryEntry
> > > object representing the user.
> > >
> > > I have also tried using a WMI query to no avail (works as an
appliation
> > but
> > > not as a service)
> > >
> > > Retreival of the SID for a user now works if I use the
LookUpAccountName
> > > API. But now I can't enumerate the groups that the user is in. I use
> the
> > > Invoke method of the DirectoryEntry object to get the "Groups"
> collection.
> > > But it raises the exception "COMException (0x80070035): The network
path
> > was
> > > not found". Is there another way to get the groups a user is in? Am
I
> > > going about this in a completely wonky way?
> > >
> > > Incidentally the service is a server that initially authenticates the
> > client
> > > using SSPI. Following authentication I try to get the SIDs of the
> groups
> > > that the client user belongs to. I have tried impersonating the
client
> > but
> > > I still get the same errors.
> > >
> > > Any thoughts would be greatly appreciated.
> > >
> > > Thanks,
> > >
> > > Adam
> > >
> > >
> >
>
>

Relevant Pages

  • Re: Getting the Groups a User belongs to ( in a service)
    ... TokenGroups property led me in the right direction. ... token of the client user. ... This is by far the fastest way to get all of the relevant SIDs. ... > ObjectSID will only get you the user's SID. ...
    (microsoft.public.dotnet.security)
  • Re: Merge Replication Problems after upgrade to SQL Express
    ... I found out that I need to specify QueryTimeout as DWORD ... specify 120 there for QueryTimeout synchronization work again and Profiler ... I applied the hotfix on the server and client now, ... The merge process could not clean up the subscription to ...
    (microsoft.public.sqlserver.replication)
  • Re: Secifying RPC ip address of client
    ... >> the client side in terms of an RPC call? ... Server side", I don't agree that this is the same situation. ... If it has to specify remote addresses, ... it is important to have control over the source address being ...
    (microsoft.public.win32.programmer.networks)
  • Re: Software file collection problems - which log
    ... the number of lines you see where you specify "Collect ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > when I go into the Software Inventory Client agent properties and click on ... > I will check the logs later. ...
    (microsoft.public.sms.admin)
  • Re: Software file collection problems - which log
    ... the number of lines you see where you specify "Collect ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > when I go into the Software Inventory Client agent properties and click on ... > I will check the logs later. ...
    (microsoft.public.sms.inventory)
Quantcast