Validate user permission

---

• From: Dan <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 7 Apr 2008 17:22:01 -0700

---

I'm working on building a web-based solution (c# + .net) to allow users to
manage AD groups that they have appropriate rights to manage. On all groups
in Active Directory, there is an advanced permission called "Write Members".
If the user (who logged in via a forms based login page) is granted that
permission on the group (either directly or by being a member of a group that
has been granted the necessary permission), they should be able to update the
group membership. The web app has its own user account with enough
permissions to update the group, but I don't know the best way of having it
determine if it should use it's powers to update the membership for the user.


My question: What is the best way to handle this, and is there a way for me
to just pass the user DN (or SID, SAMAccountName, etc), and have AD determine
if it that user is allowed to access that object.

I've found code that should be able to get the user's security token, and
parse the SIDs it contains. I'm assuming I could then take that list of
SIDs, and compare it to the list of users/groups that have Write Members set
to allow on the group in question. This seems ugly/wrong. There are too
many cases where this falls short (i.e. the user is a member of a group that
doesn't have the Write Members permission, but it does have the Write All
Properties permission. It also doesn't effectively check for deny entries.)
It feels like there should be a way for me to simply [programatically] ask AD
if user X has access to update the "member" attribute on a given group.

I am a Systems Engineer and not (yet) a programmer, so a little more verbose
answer is very much appreciated.

Thanks!
.

---

• Follow-Ups:
  • Re: Validate user permission
    • From: Joe Kaplan

• Prev by Date: Unable to start service register
• Next by Date: how can I find the domain name if I have the domain sid?
• Previous by thread: Unable to start service register
• Next by thread: Re: Validate user permission
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: PM Security Issue ... gives me permission to open projects in Microsoft Project Professional. ... Categories control what you can do it to. ... in which I am a team member, and in which my resources are team members. ... When the My Projects category is included in the Project Managers group, ... (microsoft.public.project.pro_and_server) Re: MPlayer problem... works as root but not as users ... execution only for members of a specific group (and making sure that ... example (assuming you have a group "media" with only trusted userids as ... (note that only execute permission is required to run the binary; ... removing read permission, you ensure that the binary cannot be forced to ... (comp.os.linux.misc) Re: Access denied. You do not have permission to perform this action or access this resource. ... your statement) in the subnewsgroup for programming issues- ... I should have permission to access all sites. ... Members of your local administrators group can access all those things. ... (microsoft.public.sharepoint.windowsservices) Re: Send as distribution list in Exchange 2003 ... See if SendAs Group application: http://www.ivasoft.biz/sendasgroup.shtml ... >>> list with a few members to receive external emails ... >>> members, including Full mailbox access. ... >>> have permission to send to this recipient. ... (microsoft.public.exchange.admin) Re: Group rights ... You cannot assign multiple groups to an object in a traditional unix ... > I was under the impression that user can be members of groups and groups can ... > be used to assign permissions to files and folders. ... > How then, do I assign multiple groups, different permission to the same ... (Debian-User)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)