473,394 Members | 1,829 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > .net framework > questions > change to local group membership requires reboot?!

Join Bytes to post your question to a community of 473,394 software developers and data experts.

Change to Local Group Membership Requires Reboot?!

Hi,
Although I havent been able to find any documentation to confirm it, it
looks like any change to a windows local group's membership is only
reflected in the group editing UI (and the command-line tool 'net
localgroup'), and requires a full reboot of windows to take effect for
any other applications.

Can anyone confirm this, or explain why I am getting behaviour that
gives this impression?
I've written a small C# application to demonstrate this:

IsInRole.cs:
============
using System;
using System.Security.Principal;
class App
{
static void Main(string[] args)
{
WindowsPrincipal wp =
new WindowsPrincipal(WindowsIdentity.GetCurrent());
string group = args[0];
bool isInRole = wp.IsInRole(group);
string name = wp.Identity.Name;
Console.WriteLine("User {0} is in role {1}: {2}",
name, group, isInRole);
}
}
Here's the output, comparing with 'net localgroup':
==================

C:\>net localgroup testgroup
....
Members
-----------
MYDOMAIN\me
....

C:\>isinrole MYCOMPUTER\testgroup
User MYDOMAIN\me is in role MYCOMPUTER\testgroup: False
As you can see, 'net localgroup' can see that MYDOMAIN\me is a member
of the local group, but WindowsPrincipal.IsInRole cannot.

If I reboot windows, WindowsPrincipal.IsInRole gives the correct
answer, until I remove MYDOMAIN\me from the group, when it incorrectly
indicates that the user is still in the local group.

Sep 26 '05 #1
2 8139
Actually, changes to group memberships are immediate in the OS and they don't
require a reboot. What you're seeing is the effect of caching the SIDs of
the groups to which a user belongs in the users token.

The way it works is something like this. When you log a user into a machine
a security token gets created. At that time - and tht time only - the system
determines - among other things - to which groups the user belongs. This is
held in the token. Most access checks (the ones in the OS anyway) will walk
through the groups in the token.

The alternative to this caching would be to have every check be dynamic
against the underlying authoritative source. This would have two undesirable
effects. The first is that it would be slow. The second is that it would be
very hard for applications to ensure that they were acting consistently
because the results of access checks might change at seemingly random times
based on changes to group memberships.

Of course, this is the behavior you're expecting so it may just seem wrong
to you. You aren't the first person to trip on this - this is the way
Windows has always behaved.

Chris

"in****@gmail.com" wrote:
Hi,
Although I havent been able to find any documentation to confirm it, it
looks like any change to a windows local group's membership is only
reflected in the group editing UI (and the command-line tool 'net
localgroup'), and requires a full reboot of windows to take effect for
any other applications.

Can anyone confirm this, or explain why I am getting behaviour that
gives this impression?
I've written a small C# application to demonstrate this:

IsInRole.cs:
============
using System;
using System.Security.Principal;
class App
{
static void Main(string[] args)
{
WindowsPrincipal wp =
new WindowsPrincipal(WindowsIdentity.GetCurrent());
string group = args[0];
bool isInRole = wp.IsInRole(group);
string name = wp.Identity.Name;
Console.WriteLine("User {0} is in role {1}: {2}",
name, group, isInRole);
}
}
Here's the output, comparing with 'net localgroup':
==================

C:\>net localgroup testgroup
....
Members
-----------
MYDOMAIN\me
....

C:\>isinrole MYCOMPUTER\testgroup
User MYDOMAIN\me is in role MYCOMPUTER\testgroup: False
As you can see, 'net localgroup' can see that MYDOMAIN\me is a member
of the local group, but WindowsPrincipal.IsInRole cannot.

If I reboot windows, WindowsPrincipal.IsInRole gives the correct
answer, until I remove MYDOMAIN\me from the group, when it incorrectly
indicates that the user is still in the local group.

Sep 26 '05 #2

Chris McCarron wrote:
Of course, this is the behavior you're expecting so it may just seem wrong
to you. You aren't the first person to trip on this - this is the way
Windows has always behaved.


Thanks for the explanation. I can see that the way I expected it to
behave could result in some potentially confusing situations. Still
annoyed though! :)

Sep 27 '05 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
LOCAL NYC - UNIGROUP 17-FEB-2005 (Thurs): ZOPE - Open Source WebDevelopment
by: Unigroup of New York | last post by:
Content-Type: multipart/mixed; boundary="------------C465DF38DCB38DD2AF7117E0" Lines: 327 Date: Tue, 15 Feb 2005 23:36:38 -0500 NNTP-Posting-Host: 24.46.113.251 X-Complaints-To: abuse@cv.net...
Python
0
Security and access rights using local and global groups
by: Clifford Heath | last post by:
We've set up an SQL Server 2000 (build 8.0.761 - I think that's SP3) access control scenario like the one described in this article:...
Microsoft SQL Server
6
How to change user account properties by ASP.NET?
by: Evgeny Zoldin | last post by:
Hi ALL. I have the configuration: 1. WinXP PRO with MS IIS 5.0 and installed ASP.NET 2. ASP.NET application A configured to authenticate only users from local Users group. I would like to de...
ASP.NET
2
Change to Local Group Membership Requires Reboot?!
by: innesm | last post by:
Hi, Although I havent been able to find any documentation to confirm it, it looks like any change to a windows local group's membership is only reflected in the group editing UI (and the...
.NET Framework
17
User/Group Security -- Just How Bad Is It?
by: TC | last post by:
In the past I always regarded user/group security as fairly tight. It is tricky to implement, but once implemented properly, it can't be cracked except through a dedicated effort. Recently,...
Microsoft Access / VBA
4
Can someone please describe why impersonation requires the impersonator to be local admin?
by: Daniel | last post by:
Can someone please describe why impersonation requires the impersonator to be local admin?
C# / C Sharp
0
How can I change the connection string for a Membership Provider in the Global.asax file?
by: Alias | last post by:
Hi - I have a site that runs on a development and production server. I'd like to programmatically change the connection string the provider uses in the web.config file and have the provider use...
ASP.NET
3
Can't log in user having "must change password" flag set (Forms Au
by: =?Utf-8?B?QXhlbCBEYWhtZW4=?= | last post by:
Hi, we've got a strange problem here: We've created an ASP.NET 2.0 web application using Membership.ValidateUser() to manually authenticate users with our website. The problem is: If the...
ASP.NET
5
Get data from Local Web.config not machine.config
by: =?Utf-8?B?SmVycnkgQw==?= | last post by:
I have a app that uses several membership/role providers. I can list these Providers with the code: Dim rootWebConfig1 As Configuration rootWebConfig1 =...
ASP.NET
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!