All geek questions in one place

How can I execute a query if a user of one domain is a member of a group in another AD domain?

I have a number of applications that use the same C # .Net 2.0 code that I created to check if a user is a member of an Active Directory group.

I had no problems with my code until recently when I added a user from another trusted AD domain to one of my AD groups. My question is: how can I check if a user is a member of an Active Directory group, regardless of their domain. In other words, they may or may not be in the same area as my group. Below is the code that I wrote and used over the years to find out if the user is in an Active Directory group. I'm not sure where I adapted this code, but I would suggest that it came from an MSDN article. In addition, a solution should be for the .Net 2.0 framework. I found quite a few answers that might work for this problem in .Net 3.5. Unfortunately, this will not work for my scenario.

//This method takes a user name and the name of an AD Group (role). //Current implementations of this method do not contain the user domain //with userName, because it comes from the Environment.UserName property. private static bool IsInRole(string userName, string role) { try { role = role.ToLowerInvariant(); DirectorySearcher ds = new DirectorySearcher(new DirectoryEntry(null)); ds.Filter = "samaccountname=" + userName; SearchResult sr = ds.FindOne(); DirectoryEntry de = sr.GetDirectoryEntry(); PropertyValueCollection dir = de.Properties["memberOf"]; for (int i = 0; i < dir.Count; ++i) { string s = dir[i].ToString().Substring(3); s = s.Substring(0, s.IndexOf(',')).ToLowerInvariant(); if (s == role) return true; } throw new Exception(); } catch { return false; } }
+6
source share
1 answer

This is not the answer you are waiting for, but I hope it can help.

First ; You believe that the code works in the domain, but I don’t see where it cares about the "main user group". If you select a group as a "user core group", that group is no longer part of the member attribute.

Second ; In my understanding, the way (I hope that it’s not the only one, but I’m still looking) is to see if the user is in the group, it will "return" to search for the user's DN in the "member" attribute of the group objects. Thus, in your case, you can specify your domain and another domain. You can do this by doing ONE domain search. Here is an example of such a “recursive single-shot search” using the control:

 /* Connection to Active Directory */ string sFromWhere = "LDAP://WIN-COMPUTER:389/"; DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom\\user", "password"); /* To find all the groups that "user1" is a member of : * Set the base to the groups container DN; for example root DN (dc=dom,dc=fr) * Set the scope to subtree * Use the following filter : * (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x) */ DirectorySearcher dsLookFor = new DirectorySearcher(deBase); dsLookFor.Filter = "(member:1.2.840.113556.1.4.1941:=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)"; dsLookFor.SearchScope = SearchScope.Subtree; dsLookFor.PropertiesToLoad.Add("cn"); SearchResultCollection srcGroups = dsLookFor.FindAll();

Note: you can use a more precise filter to exclude distribution groups, for example.

Edited (to answer comment questions):

First : do you need credentials? I would say no if the request is being executed from a computer belonging to a domain or an approved domain.

The second and third . Yes, Microsoft filters are documented in the Internet Search Filter Syntax . The way I wrote this filter is to deduce from the samples.

+1
source

Source: https://habr.com/ru/post/892166/

More articles:


All Articles