How to find if a user has a membership to a specific Global Group in a service?

Question

I cannot seem to be able to find that a certain user is a member of a DeployUsersProduction group. Here's what I have so far:

[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public Modes GetDeployMode()
{
    bool isProd = false;

    WindowsIdentity windowsIdentity = WindowsIdentity.GetCurrent();
    if (windowsIdentity == null || windowsIdentity.Groups == null) { return Modes.DUS; }

    foreach (IdentityReference identityReference in windowsIdentity.Groups)
    {
        try
        {
            var reference = identityReference;
            string group = reference.Translate(typeof (NTAccount)).Value.Trim();

            if (!String.Equals(group, "DeployUsersProduction", StringComparison.OrdinalIgnoreCase)) { continue; }

            isProd = true;
            break;
        }
        catch (Exception ex)
        {
            // Silent catch due to the [Some or all identity references could not be translated]
            // error that sometimes occurs while trying to map an identity.
        }
    }

    return isProd ? Modes.Prod : Modes.DUS;
}

I've got all the config, spn, db, perms, etc correct as far as I can tell. I just have one user that should be returning Modes.Prod and it's not.

have you thought about trying to use `PrincipalContext` [Principal.GetGroups](http://msdn.microsoft.com/en-us/library/bb335571%28v=vs.110%29.aspx) — MethodMan, Dec 24 '14 at 17:20
Hmm ... when I try to add `System.DirectoryServices.AccountManagement` it doesn't even recognize the `DirectoryServices` namespace. — Code Maverick, Dec 24 '14 at 17:23
you need to add the reference both by using and right clicking on references-->Add...etc — MethodMan, Dec 24 '14 at 17:25
Duh ... forgot that part. Underneath `Principal` I don't see a `GetGroups()` method, just `FindByIdentity()` — Code Maverick, Dec 24 '14 at 17:29
Here is an example of how you can loop thru the collection based on your original code example http://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity.groups%28v=vs.110%29.aspx — MethodMan, Dec 24 '14 at 17:41
http://blogs.msdn.com/b/shawnfa/archive/2008/02/07/which-groups-does-windowsidentity-groups-return.aspx — MethodMan, Dec 24 '14 at 17:42

score 0 · Accepted Answer · answered Dec 24 '14 at 18:43

The answer wasn't that my approach was wrong, it was the fact that I needed to prefix my group that I was searching for with its domain:

if (!String.Equals(group, @"DOMAIN\DeployUsersProd", StringComparison.OrdinalIgnoreCase)) { continue; }

Special thanks to @DJ KRAZE for the links that led me to writing my own Console app that outputted the groups so I could figure this out!

How to find if a user has a membership to a specific Global Group in a service?

1 Answers1