See if user is part of Active Directory group in C# + Asp.net
I need a way to see if a user is part of an active directory group from my .Net 3.5 asp.net c# application.
I am using the standard ldap authentication example off o
-
Here is my 2 cents.
static void CheckUserGroup(string userName, string userGroup) { var wi = new WindowsIdentity(userName); var wp = new WindowsPrincipal(wi); bool inRole = wp.IsInRole(userGroup); Console.WriteLine("User {0} {1} member of {2} AD group", userName, inRole ? "is" : "is not", userGroup); }讨论(0) -
You could try the following code:
public bool Check_If_Member_Of_AD_Group(string username, string grouptoCheck, string domain, string ADlogin, string ADpassword) { try { string EntryString = null; EntryString = "LDAP://" + domain; DirectoryEntry myDE = default(DirectoryEntry); grouptoCheck = grouptoCheck.ToLower(); myDE = new DirectoryEntry(EntryString, ADlogin, ADpassword); DirectorySearcher myDirectorySearcher = new DirectorySearcher(myDE); myDirectorySearcher.Filter = "sAMAccountName=" + username; myDirectorySearcher.PropertiesToLoad.Add("MemberOf"); SearchResult myresult = myDirectorySearcher.FindOne(); int NumberOfGroups = 0; NumberOfGroups = myresult.Properties["memberOf"].Count - 1; string tempString = null; while ((NumberOfGroups >= 0)) { tempString = myresult.Properties["MemberOf"].Item[NumberOfGroups]; tempString = tempString.Substring(0, tempString.IndexOf(",", 0)); tempString = tempString.Replace("CN=", ""); tempString = tempString.ToLower(); tempString = tempString.Trim(); if ((grouptoCheck == tempString)) { return true; } NumberOfGroups = NumberOfGroups - 1; } return false; } catch (Exception ex) { System.Diagnostics.Debugger.Break(); } //HttpContext.Current.Response.Write("Error: <br><br>" & ex.ToString) }讨论(0) -
var context = new PrincipalContext(ContextType.Domain, {ADDomain}, {ADContainer}); var group = GroupPrincipal.FindByIdentity(context, IdentityType.Name, {AD_GROUP_NAME}); var user = UserPrincipal.FindByIdentity(context, {login}); bool result = user.IsMemberOf(group);讨论(0) -
Nick Craver's solution doesn't work for me in .NET 4.0. I get an error about an unloaded AppDomain. Instead of using that, I used this (we only have one domain). This will check groups of groups as well as direct group membership.
using System.DirectoryServices.AccountManagement; using System.Linq; ... using (var ctx = new PrincipalContext(ContextType.Domain, yourDomain)) { using (var grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, yourGroup)) { bool isInRole = grp != null && grp .GetMembers(true) .Any(m => m.SamAccountName == me.Identity.Name.Replace(yourDomain + "\\", "")); } }讨论(0) -
It depends on what you mean by if a user is in an AD group. In AD, groups can be a Security group or Distribution group. Even for security groups, it depends on if groups like "Domain Users" or "Users" need to be included in the membership check.
IsUserInSecurityGroup will only check for security groups and will work for Primary Group kind of groups like "Domain Users" and "Users", and not distribution groups. It will also solve the issue with nested groups. IsUserInAllGroup will also check for Distribution groups, but I am not sure if you would run into permission issues. If you do, use a service account that is in WAAG (See MSDN)
The reason I am not using UserPrincipal.GetAuthorizedGroups() is because it has a lot of issues, such as requiring the calling account to be in WAAG and requiring there isn't an entry in SidHistory (See David Thomas' comment)
public bool IsUserInSecurityGroup(string user, string group) { return IsUserInGroup(user, group, "tokenGroups"); } public bool IsUserInAllGroup(string user, string group) { return IsUserInGroup(user, group, "tokenGroupsGlobalAndUniversal"); } private bool IsUserInGroup(string user, string group, string groupType) { var userGroups = GetUserGroupIds(user, groupType); var groupTokens = ParseDomainQualifiedName(group, "group"); using (var groupContext = new PrincipalContext(ContextType.Domain, groupTokens[0])) { using (var identity = GroupPrincipal.FindByIdentity(groupContext, IdentityType.SamAccountName, groupTokens[1])) { if (identity == null) return false; return userGroups.Contains(identity.Sid); } } } private List<SecurityIdentifier> GetUserGroupIds(string user, string groupType) { var userTokens = ParseDomainQualifiedName(user, "user"); using (var userContext = new PrincipalContext(ContextType.Domain, userTokens[0])) { using (var identity = UserPrincipal.FindByIdentity(userContext, IdentityType.SamAccountName, userTokens[1])) { if (identity == null) return new List<SecurityIdentifier>(); var userEntry = identity.GetUnderlyingObject() as DirectoryEntry; userEntry.RefreshCache(new[] { groupType }); return (from byte[] sid in userEntry.Properties[groupType] select new SecurityIdentifier(sid, 0)).ToList(); } } } private static string[] ParseDomainQualifiedName(string name, string parameterName) { var groupTokens = name.Split(new[] {"\\"}, StringSplitOptions.RemoveEmptyEntries); if (groupTokens.Length < 2) throw new ArgumentException(Resources.Exception_NameNotDomainQualified + name, parameterName); return groupTokens; }讨论(0) -
This method might be helpful if you're trying to determine if the Windows authenticated current user is in a particular role.
public static bool CurrentUserIsInRole(string role) { try { return System.Web.HttpContext.Current.Request .LogonUserIdentity .Groups .Any(x => x.Translate(typeof(NTAccount)).ToString() == role); } catch (Exception) { return false; } }讨论(0)
加载中...
- 热议问题