Re: WindowsPrincipal.IsInRole does not reflect recent changes in AD

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 08/26/04 

Date: Thu, 26 Aug 2004 11:01:56 -0500

Your logon token is only cached once when you logon, so the behavior you are
seeing is the correct behavior. When you logon programmatically, a new
token is constructed.

There is no way to force the interactive logon token to have the new groups
in it while you are still logged in.

Joe K.

<tonci.tomic@mireo.hr> wrote in message
news:cfb25da1.0408260737.4824ebd1@posting.google.com...
> I created new group "SomeGroup" on Domain controler.
> If I add myself to that group and try following code on my machine
>
> ...
> WindowsPrincipal wp = new
> WindowsPrincipal(WindowsIdentity.GetCurrent());
> bool is_in_role = wp.IsInRole(Environment.UserDomainName +
> @"\SomeGroup");
> ...
>
>
> is_in_role will be false until I log off and log on again, and
> sometimes, not even than.
>
> If I try following
>
> ...
> IntPtr token = IntPtr.Zero;
>
if(Win32Logon.LogonUser("MyUsername",Environment.UserDomainName,"MyPassword"
,
> (int)Win32Logon.LogonType.LOGON32_LOGON_NETWORK,
> (int)Win32Logon.LogonProvider.LOGON32_PROVIDER_DEFAULT,
> ref token))
> {
> AppDomain dom = Thread.GetDomain();
> dom.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
> WindowsIdentity wi = new WindowsIdentity(token);
> WindowsPrincipal wp = new WindowsPrincipal(wi);
> bool is_in_role = wp.IsInRole(Environment.UserDomainName +
> @"\SomeGroup");
> Win32Logon.CloseHandle(token);
> }
> ...
>
> is_in_role will be true.
> Drawback of this method is that I need to know "MyPassword".
>
> Obviously, roles are cached somewhere for WindowsIdentity.GetCurrent
>
> Is there any way to force system to update roles for current user?