0

I am trying to verify whether the logged in user exists in a AD group or distribution list. I tried to use WindowsIdentity but that does not give me proper results. If I add a user to the DL and then check whether the user is in the DL, it gives me incorrect results.

I restarted my IIS and even cleared my browser cookies and cache, but no luck. Where does the IsInRole() function verifies for the user role. In AD or on local machine....? I tried to remove myself from local machine group too, but it still authorizes me for that group. Any help would be appreciated.

Ashish
  • 2,544
  • 6
  • 37
  • 53

1 Answers1

1

If you are using .NET 3.5, you can consider to use Principal.IsMemberOf() in System.DirectoryServices.AccountManagement. I tried it and it works with AD security group as well as DL. More details about how to programming with groups can be found here

Harvey Kwok
  • 11,713
  • 6
  • 37
  • 59
  • I got this working. So much thanks to you. However one more thing is, if group B is member of group A, I am member of group B and I try to verify myself for group A, it returns false. Is it possible to verify for recursive membership? – Ashish Dec 20 '10 at 03:32
  • 1
    If your group is a security group but not a DL, you can use UserPrincipal.GetAuthorizationGroups http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.userprincipal.getauthorizationgroups.aspx. If your group must be a DL, I am afraid there is no efficient way to do this. You may have to expand the DL recursively using GroupPrincipal.GetMembers(true) and check if the user is inside the group. You can post another question on StackOverflow and see if any people know a better way to do it for DL. – Harvey Kwok Dec 20 '10 at 06:07
  • This still doesn't work. Here is my IIS configuration of web app: Authentication Mode: Basic + Windows Application Pool Identity: NetworkService My groups are security group in AD. Any help would be highly appreciated. – Ashish Dec 21 '10 at 03:55
  • I need to know more background. Are you trying to check if yourIIS machine is in a particular group? Or you are trying to check if an user is in a particular group? If you can paste the code, it would be very helpful. You said it's not working. Is there any exception throwing out? – Harvey Kwok Dec 21 '10 at 04:27