Re: ActiveDirectory group membership in offline profile

of course - you cannot pass in the sid string directly to IsInRole

try this:

static void Main(string[] args)
{
WindowsIdentity id = WindowsIdentity.GetCurrent();
foreach (IdentityReference group in id.Groups)
{
Console.WriteLine(group.Value);
}

WindowsPrincipal p = new WindowsPrincipal(id);

SecurityIdentifier sid = new SecurityIdentifier("some domain SID shown by whoami");

if (p.IsInRole(sid))
Console.WriteLine("OK");
}

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

Hi

thx.

i tried that, when i do that offline and get the sids this the
additional parameter /all

but when i test the code with the sid instead of the name of of the
group it doesn't work, too.

Dominick Baier schrieb:

Hi,

you only have SIDs, no group names - you can easily check that with:

whoami /groups

you will see local groups
and SIDs for domain groups
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
Hi

I have written an application in which I am using AD groups to set
the program permissions.

sample code:
System.Security.Principal.WindowsIdentity ident =
System.Security.Principal.WindowsIdentity.GetCurrent();
System.Security.Principal.WindowsPrincipal prin = new
System.Security.Principal.WindowsPrincipal(ident);
System.Threading.Thread.CurrentPrincipal = prin;
if (prin.IsInRole(@"domain\group"))
{
btnUpdate.Visible = true;
}
when the user is not connected to the network, it is possible to log
on because of the user offline profile.

but than the code doesn't work. because the user has no memberships.
I thougth the group membership will be stored in the offline user
profile too.

what can i do to solve that problem?

thx for help.

Tim



.

Relevant Pages

  • Re: Determine if IdentityReference is a Security Group
    ... bins to enforce Windows Security business logic (order of Allow/Deny ... Allow and Deny are easily obtained from IdentityReference. ... However, given an IdentityReference (or SID), ... WindowsIdentity will give me a list of the user's groups. ...
    (microsoft.public.dotnet.security)
  • Determine if IdentityReference is a Security Group
    ... bins to enforce Windows Security business logic (order of Allow/Deny ... Allow and Deny are easily obtained from IdentityReference. ... However, given an IdentityReference (or SID), ... WindowsIdentity will give me a list of the user's groups. ...
    (microsoft.public.dotnet.security)
  • Re: Determine if IdentityReference is a Security Group
    ... I think there is a p/invoke you can use to get the type of the SID, ... bins to enforce Windows Security business logic (order of Allow/Deny ... Allow and Deny are easily obtained from IdentityReference. ... WindowsIdentity will give me a list of the user's groups. ...
    (microsoft.public.dotnet.security)
  • Re: Security hole? - domain vs local user.
    ... if the user is a member of a group is to call CheckTokenMembership. ... WindowsIdentity wi = WindowsIdentity.GetCurrent; ... Then Compare this SID with the local user ...
    (microsoft.public.platformsdk.security)
  • Re: ActiveDirectory group membership in offline profile
    ... thx for help! ... SecurityIdentifier sid = new SecurityIdentifier("some domain ... SID shown by whoami"); ... Dominick Baier, DevelopMentor ...
    (microsoft.public.dotnet.security)