Re: Determine AD group membership

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Sun, 18 Jun 2006 09:40:01 -0400

Note that this will only give you security group info. Also it will not give you DLG information from foreign domains. So it is not necessarily a full listing of all groups that a user may be part of. As more and more LDAP based applications start using distribution lists for their internal security instead of Windows security groups this will play more and more into apps that need to monitor group membership.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Skywing wrote:

GetTokenInformation(Token, TokenGroups, Groups, GroupsLength, &ReturnLength);

where you receive `Token' from any of the token-related functions, such as `LogonUser' or `OpenProcessToken' or `ImpersonateNamedPipeClient' used in conjunction with `OpenThreadToken'.

"TimAlsop" <TimAlsop@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:5B2A3E58-0817-412D-871F-2C7733545CBF@xxxxxxxxxxxxxxxx
I have a Windows application that runs on Windows 2000 or XP workstations.
This application needs to find out which groups the logged on user is a
member of.

I can see that we can use ADSI, or LDAP to find group membership information
stored in AD for a specific user, but it seems like there must be a better
way. It is my understanding that when a user logs on the group membership
information is transmitted to the users workstation inside Kerberos tickets,
so it must be available somewhere on workstation. Is there a Windows API to
allow me to get this group membership info, or do I need to decode the
Kerberos tickets PAC data to get this info ?

Thanks,
Tim

References:
- Re: Determine AD group membership
  - From: Skywing

Prev by Date: Re: X509Certificate2 and en/decryption
Next by Date: Re: Application requirement for persistent key pairs
Previous by thread: Re: Determine AD group membership
Next by thread: Re: Determine AD group membership
Index(es):
- Date
- Thread

Relevant Pages

Slow login due to group participation
... the logon takes about 3 minutes. ... aren't added to this single security group, ... Is there some way to determine where exactly the problem lies short of ... the group membership? ...
(microsoft.public.windows.server.general)
Re: how to restrict users to search in their own Organizational Unit
... 1- Create a Security Group and deny the read permission to certain OUs then Place the MOSS administrators that Security group so they can't have read access to that OUS. ... Now, as Herb stated in last post, you can have problems related to the maintenance of the group membership, because you're dealling with many OUs and Users, so you should write a script to automate the process of mantaining the group membership, and you can also use another script to define the new permissions, add users etc. ...
(microsoft.public.windows.server.active_directory)
Re: Delegating mailbox rights
... It's because your group membership gets enumerated at login. ... and later get added to a security group, ... membership and so at that point you can get access to the target mailbox. ...
(microsoft.public.exchange.admin)
Re: Atuomated Distribution list
... If you mean Security Group membership, then why not just mail enable the ... Peter O'Dowd ... "Bill" wrote in message ...
(microsoft.public.exchange.admin)
RE: Fax Preview Button
... please understand that if you use the Add User wizard to add ... Please add the problematic user account to the Local Administrators ... security group, and then check if the issue can be re-produced. ... >is Windows XP Professional SP2. ...
(microsoft.public.windows.server.sbs)