All geek questions in one place

Check IsInRole vs AD

I recently tried to work with WindowsPrincipal, but I'm really confused. I use this piece of code:

WindowsPrincipal principal = new WindowsPrincipal(WindowsIdentity.GetCurrent()); MessageBox.Show(Thread.CurrentPrincipal.IsInRole("MyDomain\\Users").ToString());

It returns True, so everything is in order. But I thought this IsInRole check works against Active Directory. But when I disconnect the network cable, it still returns true. How so? Is there an easy way to check if a registered user is in a specific domain against AD?

0
source share
2 answers

Active Directory accounts can be cached on the local system, including role membership (to support the enforcement of Group Policy). You can disable the credential cache as described in MSDN KB "Cached Domain Information" , but I'm not sure I will clear the cache. Although I cannot confirm (since I am not currently connected to a system with cached credentials), I believe that they are stored as hashes in the registry key HKEY_LOCAL_MACHINE \ SECURITY \ CACHE \ in the values ​​indicated as "NLx", where x is integer.

+1
source

your code is fine, Windows is a little smarter than we think, and caches user group memberships even when you disconnect the network cable. In fact, if you are in an AD domain, you can also disconnect the cable and write a log because everything is locally cached.

If you really want to check how this works, try disconnecting the cable, check if another group membership is connected and it will be false, and then add your user to another group on the server, and this check will only pass after connecting your computer log in again and log in / out.

+1
source

Source: https://habr.com/ru/post/892737/

More articles:


All Articles