How do I find out if an arbitrary DOMAIN\username is in a specific role with C#?
I'm really new to C# so forgive my ignorance. I need to test if a user (DOMAIN\username) is in a particular group, and yes, this includes nested groups.
I have found that WindowsPrincipal.IsInRole()
works fantastic, when dealing with the current logged-in user. That isn't the case for me though. I need to be able to pass in an arbitrary DOMAIN\username or UPN (I'll do whichever is easiest to implement), and get back true/false if they are a member of group X, even if they are only indirect members of group X (e.g: user is member of group Y, and group Y is member of group X).
I've looked at WindowsIdentity
, and maybe it's 开发者_C百科being new to C#, but I just didn't see a way to do something like WindowsIdentity("MYDOMAIN\User1")
. Well, I did, but never got anywhere close to getting it to work.
Using C#, given a DOMAIN\username, which will not be the current logged-in user, how can I determine if they are a member of DOMAIN\group ?
You can use LDAP query for that. Here is a good article
Howto: (Almost) Everything In Active Directory via C#
Here is an function I have use that works and you should be able to use it as is almost. You will probably have to create ParseUserDomain
but that is pretty straight forward:
/// <summary>
/// Checks if a user in is a active directory group.
/// <summary>
/// <param name="username">Can contain the domain and username or just username
/// (eg. domain\username or username). If no domain is specified, the default
/// domain is used.</param>
/// <param name="group">Active directory group to check. Group name only. No
/// leading domain as the domain from the user is used.</param>
/// <returns></returns>
public bool UserIsInActiveDirectoryGroup(string username, string group)
{
bool isInGroup = false;
string user = "";
string domain = "";
// Parses off domain and user to seperate values
ParseUserDomain(username, out domain, out user);
if (string.IsNullOrEmpty(user) ||
string.IsNullOrEmpty(domain) ||
string.IsNullOrEmpty(group))
{
return false;
}
using (PrincipalContext ADContext = new PrincipalContext(ContextType.Domain,
domain))
{
using (GroupPrincipal principalGroup =
GroupPrincipal.FindByIdentity(ADContext, group))
{
if (principalGroup != null)
{
using (UserPrincipal ADPrincipalUser =
UserPrincipal.FindByIdentity(ADContext, user))
{
// True means deep search
var users = principalGroup.GetMembers(true);
isInGroup = users.Contains(ADPrincipalUser);
}
}
}
}
return isInGroup;
}
I answered with a recursive query in a similary entry in Stack Overflow called Find Recursive Group Membership (Active Directory) using C#. Changing the code I gave there can allow you to do what you want.
Answer to own question: I tried the solutions presented, and wasn't to get them to work. Note, I'm 100% sure this is due to my inexperience with C#, and not anything to do with what the commenters posted. Love and thanks to all the commenters who helped out.
What did work for me is this: http://ddkonline.blogspot.com/2010/05/how-to-recursively-get-group-membership.html
I did have to do some basic tweaks to make the above solution fit my situation (change the LDAP params, for example), but it basically worked. Returns true if member-of-group, false otherwise. I hope this saves future searchers some hair, as I've already lost a handfull. Thanks again to all who posted help.
精彩评论