How to get the groups of a user in Active Directory c asp net

Question

I use this code to get the groups of the current user  But I want to manually give the user and then get his groups  How can I do this   using System Security Principal   public ArrayList Groups         ArrayList groups   new ArrayList         foreach  IdentityReference group in System Web HttpContext Current Request LogonUserIdentity Groups                groups Add group Translate typeof NTAccount   ToString                return groups

User · Answer

In case Translate works locally but not remotly e.i group.Translate(typeof(NTAccount)

If you want to have the application code executes using the LOGGED IN USER identity, then enable impersonation. Impersonation can be enabled thru IIS or by adding the following element in the web.config.

<system.web>
<identity impersonate="true"/>

If impersonation is enabled, the application executes using the permissions found in your user account. So if the logged in user has access, to a specific network resource, only then will he be able to access that resource thru the application.

Thank PRAGIM tech for this information from his diligent video

Windows authentication in asp.net Part 87:

https://www.youtube.com/watch?v=zftmaZ3ySMc

But impersonation creates a lot of overhead on the server

The best solution to allow users of certain network groups is to deny anonymous in the web config <authorization><deny users="?"/><authentication mode="Windows"/>

and in your code behind, preferably in the global.asax, use the HttpContext.Current.User.IsInRole :

Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
If HttpContext.Current.User.IsInRole("TheDomain\TheGroup") Then
//code to do when user is in group
End If

NOTE: The Group must be written with a backslash \ i.e. "TheDomain\TheGroup"

User · Answer

Within the AD every user has a property memberOf  This contains a list of all groups he belongs to   Here is a little code example       replace  part of user name  with some partial user name existing in your AD  var userNameContains    part of user name    var identity   WindowsIdentity GetCurrent   User  var allDomains   Forest GetCurrentForest   Domains Cast lt Domain gt      var allSearcher   allDomains Select domain   gt        var searcher   new DirectorySearcher new DirectoryEntry  LDAP       domain Name            Apply some filter to focus on only some specfic objects     searcher Filter   String Format    amp   amp  objectCategory person  objectClass user  name   0        userNameContains       return searcher       var directoryEntriesFound   allSearcher      SelectMany searcher   gt  searcher FindAll            Cast lt SearchResult gt             Select result   gt  result GetDirectoryEntry       var memberOf   directoryEntriesFound Select entry   gt        using  entry                return new                       Name   entry Name              GroupName     object   entry Properties  MemberOf   Value  Select obj   gt  obj ToString                          foreach  var item in memberOf        Debug Print  Name       item Name       Debug Print  Member of          foreach  var groupName in item GroupName                Debug Print         groupName              Debug Print String Empty

User · Answer

If you re on  NET 3 5 or up  you can use the new System DirectoryServices AccountManagement  S DS AM  namespace which makes this a lot easier than it used to be   Read all about it here  Managing Directory Security Principals in the  NET Framework 3 5  Update  older MSDN magazine articles aren t online anymore  unfortunately - you ll need to download the CHM for the January 2008 MSDN magazine from Microsoft and read the article in there   Basically  you need to have a  principal context   typically your domain   a user principal  and then you get its groups very easily   public List lt GroupPrincipal gt  GetGroups string userName       List lt GroupPrincipal gt  result   new List lt GroupPrincipal gt            establish domain context    PrincipalContext yourDomain   new PrincipalContext ContextType Domain          find your user    UserPrincipal user   UserPrincipal FindByIdentity yourDomain  userName          if found - grab its groups    if user    null             PrincipalSearchResult lt Principal gt  groups   user GetAuthorizationGroups              iterate over all groups       foreach Principal p in groups                      make sure to add only group principals          if p is GroupPrincipal                          result Add  GroupPrincipal p                               return result      and that s all there is  You now have a result  a list  of authorization groups that user belongs to - iterate over them  print out their names or whatever you need to do   Update  In order to access certain properties  which are not surfaced on the UserPrincipal object  you need to dig into the underlying DirectoryEntry   public string GetDepartment Principal principal        string result   string Empty       DirectoryEntry de    principal GetUnderlyingObject   as DirectoryEntry        if  de    null               if  de Properties Contains  department                       result   de Properties  department   0  ToString                        return result      Update  2  seems shouldn t be too hard to put these two snippets of code together     but ok - here it goes   public string GetDepartment string username        string result   string Empty          if you do repeated domain access  you might want to do this  once  outside this method          and pass it in as a second parameter      PrincipalContext yourDomain   new PrincipalContext ContextType Domain           find the user     UserPrincipal user   UserPrincipal FindByIdentity yourDomain  username           if user is found     if user    null                  get DirectoryEntry underlying it        DirectoryEntry de    user GetUnderlyingObject   as DirectoryEntry           if  de    null                     if  de Properties Contains  department                             result   de Properties  department   0  ToString                                    return result

User · Answer

GetAuthorizationGroups   does not find nested groups  To really get all groups a given user is a member of  including nested groups   try this   using System Security Principal  private List lt string gt  GetGroups string userName        List lt string gt  result   new List lt string gt         WindowsIdentity wi   new WindowsIdentity userName        foreach  IdentityReference group in wi Groups                try                       result Add group Translate typeof NTAccount   ToString                       catch  Exception ex                result Sort        return result      I use try catch because I had some exceptions with 2 out of 200 groups in a very large AD because some SIDs were no longer available   The Translate   call does a SID -  Name conversion

User · Answer

My solution   UserPrincipal user   UserPrincipal FindByIdentity new PrincipalContext ContextType Domain  myDomain   IdentityType SamAccountName  myUser   List lt string gt  UserADGroups   new List lt string gt                 foreach  GroupPrincipal group in user GetGroups          UserADGroups Add group ToString

User · Answer

First of all  GetAuthorizationGroups   is a great function but unfortunately has 2 disadvantages    Performance is poor  especially in big company s with many users and groups  It fetches a lot more data then you actually need and does a server call for each loop iteration in the result It contains bugs which can cause your application to stop working  some day  when groups and users are evolving  Microsoft recognized the issue and is related with some SID s  The error you ll get is  An error occurred while enumerating the groups    Therefore  I ve wrote a small function to replace GetAuthorizationGroups   with better performance and error-safe  It does only 1 LDAP call with a query using indexed fields  It can be easily extended if you need more properties than only the group names   cn  property       Usage  GetAdGroupsForUser2  domain user   or GetAdGroupsForUser2  user   domain   public static List lt string gt  GetAdGroupsForUser2 string userName  string domainName   null        var result   new List lt string gt          if  userName Contains          userName Contains                     domainName   userName Split new char                  0           userName   userName Split new char                  1              using  PrincipalContext domainContext   new PrincipalContext ContextType Domain  domainName           using  UserPrincipal user   UserPrincipal FindByIdentity domainContext  userName               using  var searcher   new DirectorySearcher new DirectoryEntry  LDAP       domainContext Name                                  searcher Filter   String Format    amp  objectCategory group  member  0      user DistinguishedName                   searcher SearchScope   SearchScope Subtree                  searcher PropertiesToLoad Add  cn                     foreach  SearchResult entry in searcher FindAll                        if  entry Properties Contains  cn                            result Add entry Properties  cn   0  ToString                        return result

User · Answer

This works for me  public string   GetGroupNames string domainName  string userName                List lt string gt  result   new List lt string gt              using  PrincipalContext principalContext   new PrincipalContext ContextType Domain  domainName                         using  PrincipalSearchResult lt Principal gt  src   UserPrincipal FindByIdentity principalContext  userName  GetGroups                                  src ToList   ForEach sr   gt  result Add sr SamAccountName                                     return result ToArray

User · Answer

The answer depends on what kind of groups you want to retrieve   The System DirectoryServices AccountManagement namespace provides two group retrieval methods   GetGroups - Returns a collection of group objects that specify the groups of which the current principal is a member  This overloaded method only returns the groups of which the principal is directly a member  no recursive searches are performed  GetAuthorizationGroups - Returns a collection of principal objects that contains all the authorization groups of which this user is a member  This function only returns groups that are security groups  distribution groups are not returned  This method searches all groups recursively and returns the groups in which the user is a member  The returned set may also include additional groups that system would consider the user a member of for authorization purposes   So GetGroups gets all groups of which the user is a direct member  and GetAuthorizationGroups gets all authorization groups of which the user is a direct or indirect member  Despite the way they are named  one is not a subset of the other   There may be groups returned by GetGroups not returned by GetAuthorizationGroups  and vice versa  Here s a usage example  PrincipalContext domainContext   new PrincipalContext ContextType Domain   quot MyDomain quot    quot OU AllUsers DC MyDomain DC Local quot    UserPrincipal inputUser   new UserPrincipal domainContext   inputUser SamAccountName    quot bsmith quot   PrincipalSearcher adSearcher   new PrincipalSearcher inputUser   inputUser    UserPrincipal adSearcher FindAll   ElementAt 0   var userGroups   inputUser GetGroups

User · Answer

In my case the only way I could keep using GetGroups   without any expcetion was adding the user  USER WITH PERMISSION  to the group which has permission to read the AD  Active Directory   It s extremely essential to construct the PrincipalContext passing this user and password   var pc   new PrincipalContext ContextType Domain  domain   USER WITH PERMISSION    PASS    var user   UserPrincipal FindByIdentity pc  IdentityType SamAccountName  userName   var groups   user GetGroups      Steps you may follow inside Active Directory to get it working         Into Active Directory create a group  or take one  and under secutiry tab add  Windows Authorization Access Group    Click on  Advanced  button   Select  Windows Authorization Access Group  and click on  View    Check  Read tokenGroupsGlobalAndUniversal    Locate the desired user and add to the group you created  taken  from the first step

[c#] How to get the groups of a user in Active Directory? (c#, asp.net)

Examples related to c#

Examples related to asp.net

Examples related to active-directory