Read user authorization groups from Active Directory

In our system we are reading user security groups from an Active Directory in two slightly different ways. In one case the list of groups returned by the AD is missing the domain local groups. The response from GetAuthorizationGroups () is dependent on the used PrincipalContext. In the failing scenarios GetAuthorizationGroups() will only return global groups. The result is missing all domain local groups from the AD. Can anyone please explain why?

Failing solution:

PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "our.domain.net");

var userPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, "userB");

PrincipalSearchResult<Principal> groups = userPrincipal.GetAuthorizationGroups();

In this case the process is executed by “UserA”. “UserA” is a member of the domain “our.domain.net”. “UserA” is the very same user as the specifically identified user in the working solution. The PrincipalContext should because of that be identical to the PrincipalContext in the working solution. The respons开发者_JAVA百科e from GetAuthorizationGroups() in this solution miss domain local groups from the AD.

Working solution:

PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "our.domain.net", "UserA", "PasswordA");

var userPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, "userB");

PrincipalSearchResult<Principal> groups = userPrincipal.GetAuthorizationGroups();

In this case the calling user is identified specifically by use name and password when creating the Principal Context. In this case the AD returns all the groups that the user is a member of. This is the behavior I would like to see from the failing solution as well. In some cases I do not have the user password of UserA and of that reason the Working solution is not an option.

Please help me understand why the failing solution does not return all the groups that the user is a member of.

"It misses domain local groups from the AD" because you are probably iterating the resulting groups with foreach loop and you are getting NoMatchingPrincipalException exception for one of the groups that the user doesnt have read access and at that point it stops iterating, failing to get the rest of the groups.

As a solution you may use the following iterator (the code behind the foreach structure) to get all the rest of the groups:

var enumerator = groups.GetEnumerator();                
while (enumerator.MoveNext())
{
    try
    {
        var e = enumerator.Current;
        listView1.Items.Add(e.Name);
    }
    catch (NoMatchingPrincipalException)
    {
    }
}

We finally found the problem. It turned out not to be a coding problem at all. The strange behaviour was caused by an erronious Domain Level in the Active Directory.

Domain Level had to be set to "2003 functional level"

Now it all works as expected.