Re: Validate user permission



The best way to do this is to not use forms authentication but to use
Windows auth so that you can use the user's security context to talk to AD
directly.

If you bind to the directory using the credentials of the actual user, it is
much easier to apply their actual permissions in the directory. You can do
things like use the allowedAttributesEffective attribute to determine if the
authenticated user can modify a given attribute (member is the one you are
interested in, which is the only attribute in the Write Members permission
set).

You really really don't to attempt to recompute the DACL yourself. That is
very complicated. You should let AD do it for you.

If you must use forms auth, you should capture the user's credentials and
use those to bind to AD so that you can still take advantage of the native
permissions. Using the service account to access the directory isn't the
way to go here.

If you wanted to apply a different security model than that imposed by the
directory itself (a trusted subsystem architecture), then it would make
sense to use the service account for modifications and manage the
permissions in your business logic, but since you want to use the native AD
permissions, use the native security.

I would definitely recommend using the new
System.DirectoryServices.AccountManagement namespace in .NET 3.5 if you can.
It makes the actual group membership manipulation very easy to do.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4097FB1A-85F8-4BC7-95D9-2C578A295D7C@xxxxxxxxxxxxxxxx
I'm working on building a web-based solution (c# + .net) to allow users to
manage AD groups that they have appropriate rights to manage. On all
groups
in Active Directory, there is an advanced permission called "Write
Members".
If the user (who logged in via a forms based login page) is granted that
permission on the group (either directly or by being a member of a group
that
has been granted the necessary permission), they should be able to update
the
group membership. The web app has its own user account with enough
permissions to update the group, but I don't know the best way of having
it
determine if it should use it's powers to update the membership for the
user.


My question: What is the best way to handle this, and is there a way for
me
to just pass the user DN (or SID, SAMAccountName, etc), and have AD
determine
if it that user is allowed to access that object.

I've found code that should be able to get the user's security token, and
parse the SIDs it contains. I'm assuming I could then take that list of
SIDs, and compare it to the list of users/groups that have Write Members
set
to allow on the group in question. This seems ugly/wrong. There are too
many cases where this falls short (i.e. the user is a member of a group
that
doesn't have the Write Members permission, but it does have the Write All
Properties permission. It also doesn't effectively check for deny
entries.)
It feels like there should be a way for me to simply [programatically] ask
AD
if user X has access to update the "member" attribute on a given group.

I am a Systems Engineer and not (yet) a programmer, so a little more
verbose
answer is very much appreciated.

Thanks!


.