20522

Read user authorization groups from Active Directory

In our system we are reading user security groups from an Active Directory in two slightly different ways. In one case the list of groups returned by the AD is missing the domain local groups. The response from GetAuthorizationGroups () is dependent on the used PrincipalContext. In the failing scenarios GetAuthorizationGroups() will only return global groups. The result is missing all domain local groups from the AD. Can anyone please explain why?

Failing solution:

PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "our.domain.net"); var userPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, "userB"); PrincipalSearchResult<Principal> groups = userPrincipal.GetAuthorizationGroups();

In this case the process is executed by “UserA”. “UserA” is a member of the domain “our.domain.net”. “UserA” is the very same user as the specifically identified user in the working solution. The PrincipalContext should because of that be identical to the PrincipalContext in the working solution. The response from GetAuthorizationGroups() in this solution miss domain local groups from the AD.

Working solution:

PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "our.domain.net", "UserA", "PasswordA"); var userPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, "userB"); PrincipalSearchResult<Principal> groups = userPrincipal.GetAuthorizationGroups();

In this case the calling user is identified specifically by use name and password when creating the Principal Context. In this case the AD returns all the groups that the user is a member of. This is the behavior I would like to see from the failing solution as well. In some cases I do not have the user password of UserA and of that reason the Working solution is not an option.

Please help me understand why the failing solution does not return all the groups that the user is a member of.

Answer1:

We finaly found the problem. It turned out noy beeing a coding problem at all. The strange behaviour was caused by an erronious Domain Level in the Active Directory.

Domain Level had to be set to "2003 functional level"

Now it all works as expected.

Answer2:

"It misses domain local groups from the AD" because you are probably iterating the resulting groups with foreach loop and you are getting NoMatchingPrincipalException exception for one of the groups that the user doesnt have read access and at that point it stops iterating, failing to get the rest of the groups.

As a solution you may use the following iterator (the code behind the foreach structure) to get all the rest of the groups:

var enumerator = groups.GetEnumerator(); while (enumerator.MoveNext()) { try { var e = enumerator.Current; listView1.Items.Add(e.Name); } catch (NoMatchingPrincipalException) { } }

Recommend

  • Searching Active Directory Users Only in Specified Group in C#
  • Active Directory: The Principal Class - S.DS.AM vs S.DS.AD
  • UserPrincipal Object, Active Directory Query: DirectoryServicesCOMException
  • How to get a list of groups in an Active Directory group
  • Convert a method to use async
  • Microsoft graph: get only users from group
  • powershell: displaying array data next to string data?
  • Server side J2EE Webservice gets null values on parameters
  • How to update a widget on app start
  • Detect if user is in a group
  • How do i use 'auto' in C++ (C++0x)?
  • Get list of current logged in users in Active Directory
  • connect active directory using c#
  • GAE ClassCastException Long cannot be cast to double
  • AD Lightweight Directory Services not Authenticating Users
  • how to create temp table based on column number?
  • IE 7 not showing my custom 401 page
  • Is it possible to set the POSIX group of a file?
  • Dojo : ComboBox selected and show data id
  • Dojo : ComboBox selected and show data id
  • Need all users detail (Name, Email, Designation, Department) in the current organisation using C#
  • How do I add a Microsoft account to Azure Active Directory?
  • Active directory : get groups where a user is member
  • std::async variant which works over a collection
  • How to use CSS locator with tag + class name + inner html text to identify a button in a span
  • R: gsub of exact full string with fixed = T
  • Write from R to Teradata in 3.0
  • Codeigniter Routing Regex
  • android Mediaplayer errors after update to 5.0
  • How to configure email address for a user in Microsoft Azure AD?
  • Populating a DropDownList with text and values
  • how to cancel HostingEnvironment.QueueBackgroundWorkItem
  • MVC: How do you give a viewmodel a list and correctly output it on .cshtml
  • Owin Authentication and claims in asp.net how to access user data
  • Can I have the cursor start on a particular column by default in jqgrid's edit mode?
  • Can a Chrome extension content script make an jQuery AJAX request for an html file that is itself a
  • How to delete a row from a dynamic generate table using jquery?
  • using HTMLImports.whenReady not working in chrome
  • Authorize attributes not working in MVC 4
  • EntityFramework adding new object to nested object collection