GetAuthorizationGroups () mistakenly assumes that I am a domain administrator

Question

GetAuthorizationGroups () mistakenly assumes that I am a domain administrator

I have a domain group name and need to check if the domain user is part of this recursively. After my user domain has become the main, I try to go through all permission groups

using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain)) { UserPrincipal userPrin = UserPrincipal.FindByIdentity(ctx, userToCheck); if (userPrin != null) { foreach (GroupPrincipal group in userPrin.GetAuthorizationGroups()) { if (group.Name.Equals(groupName, System.StringComparison.OrdinalIgnoreCase)) { if (group.Context.Name.StartsWith(domain, StringComparison.OrdinalIgnoreCase)) { return true; } } } } }

[I know that startWith may not be the best, but everything works like a charm]

Only problem: I have two accounts that are NOT part of the built-in group of domain administrators. Both user principals are found and the groups are listed, but: For one user, the result is FALSE when checking the group of built-in administrators For one user, the result is TRUE when checking the group of built-in administrators

I know that the verified group is indeed the correct domain object for both attempts.

Why does he say that one account is in this group?

UPDATE

When searching through cmd (network user / domain), the group is NOT displayed. When you run the code from another computer (the same user is requests), the group is also not displayed. But if you request the current user who is registered as an administrator, this user is considered to be in the group

 CN=Administratoren,CN=Builtin,DC=domain,DC=de

which is simply wrong. It may be in a local group, but it is definitely NOT a member of the domain administrators group. SID of group S-1-5-32-544 bits.

UPDATE2

Since PrincipalContext internally uses DirectorySearcher, I tried to find a solution using a directory finder. It returns only the correct groups. (although I'm not sure right now if it has a function for a recursive group search, such as the context of the Principle)

So, either this is a mistake, or something is connected with additional groups , as indicated by dlatikay

This method recursively checks all groups and returns the groups in which the user is a member. The returned set may also include additional groups that the system will consider the user as a member for authorization purposes.
Groups returned by this method may include groups from a different area and store than the main one. For example, if the main object is an AD DS object that has the DN "CN = SpecialGroups", DC = Fabrikam, DC = com, the returned set may contain groups that belong to "CN = NormalGroups, DC = Fabrikam, DC = com.

But why does it return additional groups, I have to make sure that the user really has privilege in the returned groups.

+5

authentication c # c # -4.0 active-directory

Marc wittmann Jan 25 '17 at 15:58

source share

No one has answered this question yet.

See similar questions:

1

GetAuthorizationGroups returns more groups than my user in

or similar:

805

How to make a .NET application run as an administrator?