All geek questions in one place

C # System.DirectoryServices.AccountManagement Unknown error (0x80005000) UserPrincipal.IsMemberOf ()

Similar to the problem in the following MSDN thread: http://social.msdn.microsoft.com/Forums/en-MY/csharplanguage/thread/4c9fea6c-1d0a-4733-a8ac-e3b78d10e999

I'm trying to check if this user is a member of a group, and our existing functional solutions are too slow (13-16 seconds), and I'm trying to speed it up. I currently have:

public bool IsMemberAD(string userName, string groupName) { var pc = new System.DirectoryServices.AccountManagement.PrincipalContext(System.DirectoryServices.AccountManagement.ContextType.Domain); var user = System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(pc, System.DirectoryServices.AccountManagement.IdentityType.SamAccountName, userName.ToLower()); var group = System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(pc, groupName); if (group == null || user == null) return false; return user.IsMemberOf(group); }

What makes it interesting is that it returns an error only when the user is not in the group directly, but rather a member of the group included in the target group.

For instance:

Steve and Sam are two users, and GroupParent and GroupChild are two groups. Steve and GroupChild are members of GroupParent. Sam is a member of GroupChild. If I call this function (Steve, GroupParent), it returns true. If I call it (Sam, GroupParent), I get an error. If I call it ("fdkjskghkf", GroupParent), it will return false.

I linked the article above with similar problems, but its solution did not work for me, I still have the same error. Ideas?

+4
source share
5 answers

Thanks to Jon Theriault here, the following code fixed this issue for me.

 string strName = System.Security.Principal.WindowsIdentity.GetCurrent().Name; // "MW\\dalem" // This is here because of a .Net error that gets 0x80005000 on "isUser = user.IsMemberOf(groupU);" string domainName = strName.Split('\\')[0]; var pc = new PrincipalContext(ContextType.Domain, domainName);
+5
source

I remember when I wrote similar code, I ran into some strange problems. I don’t know exactly why your call fails, but you can flip your problem and do something like:

 return group.GetMembers(true).Contains(user);
+2
source

Can you try something like this:

 public bool IsMemberAD(string userName, string groupName) { PrincipalContext context = new PrincipalContext(ContextType.Domain, "WM2008R2ENT:389", "dc=dom,dc=fr", "jpb", "pwd"); /* Retreive the user principal */ UserPrincipal user = UserPrincipal.FindByIdentity(context, userName); if (user == null) return false; /* Retreive the group principal */ GroupPrincipal targetGroup = GroupPrincipal.FindByIdentity(context, groupName); if (targetGroup == null) return false; /* Look for all the groups a user belongs to */ PrincipalSearchResult<Principal> allGroups = user.GetAuthorizationGroups(); var grp = (from g in allGroups where g.Sid == targetGroup.Sid select g).FirstOrDefault(); return (!(grp == null)); }
0
source

If anyone is interested. Using DirectorySearcher with the following filter is about 60% faster.

string filter = string.Format ("(& (distinctName = {1}) (memberof: 1.2.840.113556.1.4.1941: = {0}))", dnOfUser, dnOfGroup);

The filter will move up, not just the parent of the user.

0
source

GetAuthorizationGroups () does not find nested groups.

To really get all the groups, this user is a member of the included nested groups, try this:

 using System.Security.Principal private List<string> GetGroups(string userName) { List<string> result = new List<string>(); WindowsIdentity wi = new WindowsIdentity(userName); foreach (IdentityReference group in wi.Groups) { try { result.Add(group.Translate(typeof(NTAccount)).ToString()); } catch (Exception ex) { } } result.Sort(); return result; }

Use Try / Catch because I had some exceptions in very large AD (half a million objects) with 2 out of 200 groups, because my some SIDs (Translate is SID β†’ Name conversion) were no longer available. In our huge AD, it only takes <1 second.

0
source

Source: https://habr.com/ru/post/1381364/

More articles:


All Articles