Is there a way to identify whether or not a person is in a specified group in Active Directory, even if the group is several levels deep

Sometimes the architecture in active directory is very complicated. There are many groups in my AD and they are hierarch开发者_如何学Cical.

Take this for example: Group A is the top group, it has a child Group B, and Group B also has a child C. C is the leaf node and it is a person in AD. Is there an approach to identify C is a member of Group A.

I can do this by enumerating the "memberof" property recursively in AD. But is there a more efficient mechanism to do that work?

I need to do that in .NET with C#. Any help will be appreciated.

Check out UserPrincipal.GetAuthorizationGroups. It's giving you all the groups in the token, as mentioned by Swanny

Not sure if there is a better way these days but this is how we did it back on the .Net 1.0 day. There is a method I think called GetTokens() or something like that. It might only be available via the COM interface (so you need to wrap it in an interop). It gives you back a list of SIDs for each thing that the user is ultimately a member of (even if a group within a group within a group) and then you can just get the SID of the group your interested in and check whether it is in the list returned earlier. Getting the list of SIDs is a little resource heavy so you might want to cache the result. If you make lots of calls at once you can slow the AD down.