Re: Validate user permission

The best way to do this is to not use forms authentication but to use
Windows auth so that you can use the user's security context to talk to AD

If you bind to the directory using the credentials of the actual user, it is
much easier to apply their actual permissions in the directory. You can do
things like use the allowedAttributesEffective attribute to determine if the
authenticated user can modify a given attribute (member is the one you are
interested in, which is the only attribute in the Write Members permission

You really really don't to attempt to recompute the DACL yourself. That is
very complicated. You should let AD do it for you.

If you must use forms auth, you should capture the user's credentials and
use those to bind to AD so that you can still take advantage of the native
permissions. Using the service account to access the directory isn't the
way to go here.

If you wanted to apply a different security model than that imposed by the
directory itself (a trusted subsystem architecture), then it would make
sense to use the service account for modifications and manage the
permissions in your business logic, but since you want to use the native AD
permissions, use the native security.

I would definitely recommend using the new
System.DirectoryServices.AccountManagement namespace in .NET 3.5 if you can.
It makes the actual group membership manipulation very easy to do.

Joe K.
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
I'm working on building a web-based solution (c# + .net) to allow users to
manage AD groups that they have appropriate rights to manage. On all
in Active Directory, there is an advanced permission called "Write
If the user (who logged in via a forms based login page) is granted that
permission on the group (either directly or by being a member of a group
has been granted the necessary permission), they should be able to update
group membership. The web app has its own user account with enough
permissions to update the group, but I don't know the best way of having
determine if it should use it's powers to update the membership for the

My question: What is the best way to handle this, and is there a way for
to just pass the user DN (or SID, SAMAccountName, etc), and have AD
if it that user is allowed to access that object.

I've found code that should be able to get the user's security token, and
parse the SIDs it contains. I'm assuming I could then take that list of
SIDs, and compare it to the list of users/groups that have Write Members
to allow on the group in question. This seems ugly/wrong. There are too
many cases where this falls short (i.e. the user is a member of a group
doesn't have the Write Members permission, but it does have the Write All
Properties permission. It also doesn't effectively check for deny
It feels like there should be a way for me to simply [programatically] ask
if user X has access to update the "member" attribute on a given group.

I am a Systems Engineer and not (yet) a programmer, so a little more
answer is very much appreciated.