Re: Check group membership, the sequel
From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 02/21/05
- Next message: Sameh Ahmed: "Re: Check group membership, the sequel"
- Previous message: Nicole Calinoiu: "Re: SSL Cert vendor - recommendations?"
- Maybe in reply to: Sameh Ahmed: "Check group membership, the sequel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: microsoft.public.dotnet.security Date: Mon, 21 Feb 2005 13:14:34 -0800
be careful with local groups - sometime they are localized.
try using the WindowsBuiltInRole instead if you want to check the built-in groups. to just double check if you got the spelling correct try
whoami /groups
on the command line and copy/past the output in your code (only works on w2k3).
...and i agree with Joe - IsInRole is the way to go and it MUST work.
---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
nntp://news.microsoft.com/microsoft.public.dotnet.security/ IsInRole supports fully nested security group membership (assuming you are
on a 2000 native AD domain that supports nested groups). You don't have to
do anything extra to make this work.
Joe K.
"Sameh Ahmed" <essoplus@hotmail.com> wrote in message
news:%234%23cFHEGFHA.3336@TK2MSFTNGP10.phx.gbl...
> The code you sent worked very good.
> and in a domain environment the isinrole worked also very well.
> I use it to make the decision if the current user (running the
> application) has the right to be using it or the application should quit.
> So for this part, it was solved and everything work in a very good way.
> within the functionality of the application, I need to take a decision on
> how to handle users depending on their group memberships, IE if the
> "domain\user" belongs to the group "domain\group" it should be dealt with
> in the manner A, and if it belongs to the "domain\another group" it should
> be handled in the manner B.
> do I need to check if the user belongs to a certain group or not
> (explicitly or implicitly by belonging to a group that is a member of the
> "domain\group")
> Hope I made myself clear on that one.
> thanks again.
> Regards
> Sameh
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:%23%23BpSEDGFHA.1396@tk2msftngp13.phx.gbl...
>>I still think you should be using WindowsPrincipal::IsInRole. What
>>happened when you tried the reflection code I suggested?
>>
>> It is possible to do group membership expansion programmatically, but it
>> seems like it would be better to try and get the built in stuff that
>> already supports this working.
>>
>> Joe K.
>>
>> "Sameh Ahmed" <essoplus@hotmail.com> wrote in message
>> news:Oy8a4nCGFHA.3928@TK2MSFTNGP09.phx.gbl...
>>> Hello there
>>> IsInrole gives ya the means to check if the current or impersonated user
>>> belongs to a specific windows role or group.
>>> is there a way to do the same without using ADSI to check if
>>> "domain\user" belongs to "domain\group"?
>>> the reason is, when getting the "memberof" property of a user, then
>>> checking if it contains the desired group or not.
>>> this will only work if the user is a member of the group itself but not
>>> when he is a member of a group that belongs to the designated group.
>>> Do I make sense?
>>> Regards
>>> Sameh
>>>
>>
>>
>
>
[microsoft.public.dotnet.security]
Relevant Pages
... the same (at least with group membership) as the token you get from ... > public enum LogonProvider ... > public static extern bool LogonUser(String lpszUsername, ... >> Thanks, Joe. ...
(microsoft.public.dotnet.security)
... You could also try using some Directory Services code to do this to overcome ... > I ended up dropping .NET's IsInRole, and using equivalent code from Keith ... > Thanks for your suggestions Joe. ...
(microsoft.public.dotnet.framework.aspnet.security)
... Joe K. ... > determine group membership. ... > public string IsAuthenticatedGetGroups (string Domain, string UserName, ... I think you should consider using tokenGroups ...
(microsoft.public.dotnet.framework.aspnet.security)
... noting that the group membership can be nested? ... We have seen permission ... on users who have previously been members of protected groups, ... > Joe ...
(microsoft.public.windows.server.active_directory)
... > IsInRole supports fully nested security group membership (assuming you are ... >> and in a domain environment the isinrole worked also very well. ... >> do I need to check if the user belongs to a certain group or not ...
(microsoft.public.dotnet.languages.vb)
