How to use DirectoryServices to determine if a user if a member of a group

  • Thread starter Thread starter Brad Mann
  • Start date Start date
B

Brad Mann

I am looking for a low cost way of determining whether a user is a member of
a specific group in ActiveDirectory. Does anyone know of a quick a dirty way
to do this? I currently go and get the collection of groups to which a user
belongs, then iterate through them to see if the name of the group matches
the one sent into my function. I am hoping to find an easier way to do
this.

Here is a sample of the code which is currently being used:
strPath = "WinNT://OURSERVER.COM/" & GetCurrentUser() & ",user"

objDirEnt = New DirectoryEntry(strPath)

objGroups = objDirEnt.Invoke("Groups")

For Each objGroup In objGroups

objGroupDirEnt = New DirectoryEntry(objGroup)

If Trim(objGroupDirEnt.Name) = Trim(strGroup) Then blnIsMember = True

Next

Thanks,

Brad
 
Hello Brad,

Thanks for your post. As I understand, you want to know a better method to
determine if a user belongs to a specific group. Please correct me if there
is any misunderstanding.

I reviewed your description and code snippet carefully, and I believe that
the method you are currently using is good and, as far as I know, I am
afraid that there is no better method. Generally speaking, to determine if
a user belongs to a specific group, we should either retrieve the groups to
which a user belongs and check if they contains the specific group, or
retrieve the users in a group and see if a user is among them. In general,
a user may belongs a few groups, while a group may contains many users.

Please feel free to let me know if you have any problems or concerns
regarding this issue.

Have a nice day!

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! -- www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
I am looking for a low cost way of determining whether a user is a member of
a specific group in ActiveDirectory. Does anyone know of a quick a dirty way
to do this? I currently go and get the collection of groups to which a user
belongs, then iterate through them to see if the name of the group matches
the one sent into my function. I am hoping to find an easier way to do
this.

Here is a sample of the code which is currently being used:
strPath = "WinNT://OURSERVER.COM/" & GetCurrentUser() & ",user"

objDirEnt = New DirectoryEntry(strPath)

objGroups = objDirEnt.Invoke("Groups")

For Each objGroup In objGroups

objGroupDirEnt = New DirectoryEntry(objGroup)

If Trim(objGroupDirEnt.Name) = Trim(strGroup) Then blnIsMember = True

Next
Click to expand...

First off, I would STRONGLY recommend tossing out the WinNT provider
and using the LDAP provider instead. Only the LDAP provider really
knows about OU's and such stuff in AD - WinNT is "blind" to that.

Next, you can simplify your code a bit - if you send in a group and a
user name, you can either bind to the group and enumerate its "member"
property, or bind to the user and enumerate its "memberOf" property -
either way, you'll need to go through a list of things.

The group's list of members will potentially be longer (you usually
have few groups with more members, but each user is member of only a
few groups), but the "member" attribute of the group is stored in AD,
while the "memberOf" attribute of the user is only determined at
runtime when needed (so that might incur a performance penalty).

So, try this - and if it's slow, try it the "other way around" maybe
:-) It's in C# (since I'm not really familiar with the VB.NET syntax)

public bool IsMember(string aUser, string aGroup)
{
bool bResult = false;

// bind to user
DirectoryEntry deUser = new DirectoryEntry("LDAP://" + aUser);

if(deUser != null)
{
// enumerate the groups the user belongs to
foreach(object oMember in deUser.Properties["memberOf"])
{
if(aGroup == oMember.ToString())
{
bResult = true;
break;
}
}
}

return bResult;
}

string strUser = "cn=John Henry,ou=Railroads,dc=Fabrikam,dc=com";
string strGroup = "cn=Foremen,ou=Railroads,dc=Fabrikam,dc=com";

if(IsMember(strUser, strGroup))
{
// do something
}

HTH
Marc
================================================================
Marc Scheuner May The Source Be With You!
Bern, Switzerland m.scheuner(at)inova.ch
 
Marc Scheuner said:
I am looking for a low cost way of determining whether a user is a member of
a specific group in ActiveDirectory. Does anyone know of a quick a dirty way
to do this? I currently go and get the collection of groups to which a user
belongs, then iterate through them to see if the name of the group matches
the one sent into my function. I am hoping to find an easier way to do
this.

Here is a sample of the code which is currently being used:
strPath = "WinNT://OURSERVER.COM/" & GetCurrentUser() & ",user"

objDirEnt = New DirectoryEntry(strPath)

objGroups = objDirEnt.Invoke("Groups")

For Each objGroup In objGroups

objGroupDirEnt = New DirectoryEntry(objGroup)

If Trim(objGroupDirEnt.Name) = Trim(strGroup) Then blnIsMember = True

Next
Click to expand...

First off, I would STRONGLY recommend tossing out the WinNT provider
and using the LDAP provider instead. Only the LDAP provider really
knows about OU's and such stuff in AD - WinNT is "blind" to that.

Next, you can simplify your code a bit - if you send in a group and a
user name, you can either bind to the group and enumerate its "member"
property, or bind to the user and enumerate its "memberOf" property -
either way, you'll need to go through a list of things.

The group's list of members will potentially be longer (you usually
have few groups with more members, but each user is member of only a
few groups), but the "member" attribute of the group is stored in AD,
while the "memberOf" attribute of the user is only determined at
runtime when needed (so that might incur a performance penalty).

So, try this - and if it's slow, try it the "other way around" maybe
:-) It's in C# (since I'm not really familiar with the VB.NET syntax)

public bool IsMember(string aUser, string aGroup)
{
bool bResult = false;

// bind to user
DirectoryEntry deUser = new DirectoryEntry("LDAP://" + aUser);

if(deUser != null)
{
// enumerate the groups the user belongs to
foreach(object oMember in deUser.Properties["memberOf"])
{
if(aGroup == oMember.ToString())
{
bResult = true;
break;
}
}
}

return bResult;
}

string strUser = "cn=John Henry,ou=Railroads,dc=Fabrikam,dc=com";
string strGroup = "cn=Foremen,ou=Railroads,dc=Fabrikam,dc=com";

if(IsMember(strUser, strGroup))
{
// do something
}

HTH
Marc
================================================================
Marc Scheuner May The Source Be With You!
Bern, Switzerland m.scheuner(at)inova.ch
Click to expand...

Here is a VB.Net example using ActiveDS and DirectoryServices.

Dim de As New DirectoryEntry("LDAP://CN=user,OU=people,DC=domain,DC=com",
"user", "pwd", DirectoryServices.AuthenticationTypes.Secure)

Dim usr As IADsUser
Dim grp As IADsGroup

usr = de.NativeObject

For Each grp In usr.Groups
Response.Write(grp.Name & "<br>")
Next

This will return all groups the user is a member of.
 
Here is a VB.Net example using ActiveDS and DirectoryServices.
Dim de As New DirectoryEntry("LDAP://CN=user,OU=people,DC=domain,DC=com",
"user", "pwd", DirectoryServices.AuthenticationTypes.Secure)

Dim usr As IADsUser
Dim grp As IADsGroup

usr = de.NativeObject

For Each grp In usr.Groups
Response.Write(grp.Name & "<br>")
Next

This will return all groups the user is a member of.
Click to expand...

First of all, this has the same limitations as the .Net sample -
primary group and nested groups will not be returned.

Also, what do you try to gain from going back to the "nativeObject"
and the bare bones ADSI interfaces? I don't see any benefit in that...

Marc
 
Back
Top