0

I'm writing a web application and I'm trying to authenticate admin users. I was hoping to do this by having a local group on the server that I add domain users into. I have a group called ProductionManagers which I add people with admin rights into. Other users have a view-only access.

What I want to do is to search query the AD (right?) on the server and find out if the currently logged in user is member of the ProductionManagers group (which is a group on the server, not a domain group).

What's the best way of doing this? Or maybe you have a suggestion on a better mechanic than having a local group where I add admins?

ekad
  • 14,436
  • 26
  • 44
  • 46
AndersLindas
  • 137
  • 1
  • 9

1 Answers1

0

If using ASP.NET and form authentication,

WindowsPrincipal principal = new WindowsPrincipal(new WindowsIdentity("youruser@domain.com"));
if (principal.IsInRole("ProductionManagers"))
{
   // Authenticated
}

If using ASP.NET and Windows authentication,

WindowsPrincipal principal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
if (principal.IsInRole("ProductionManagers"))
{
   // Authenticated
}

If using something else like Java, PHP, Ruby, you need to call the .NET API or Win32 API to do that. You cannot simply make a LDAP query to retrieve that information. The reason is that the group membership information for local group is actually stored at local machines but not that Active Directory.

You need to call something like NetLocalGroupGetMembers to retrieve the group membership information from the local store.

Harvey Kwok
  • 11,713
  • 6
  • 37
  • 59
  • Thanks. I'll try that out. Unfortunatly I'm off that project at the moment. Hope I can get time to work on it soon again :) – AndersLindas Jun 25 '12 at 07:30