473,887 Members | 2,327 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Check group membership, the sequel

Hello there
IsInrole gives ya the means to check if the current or impersonated user
belongs to a specific windows role or group.
is there a way to do the same without using ADSI to check if "domain\use r"
belongs to "domain\gro up"?
the reason is, when getting the "memberof" property of a user, then checking
if it contains the desired group or not.
this will only work if the user is a member of the group itself but not when
he is a member of a group that belongs to the designated group.
Do I make sense?
Regards
Sameh
Nov 21 '05 #1
7 5607
I still think you should be using WindowsPrincipa l::IsInRole. What happened
when you tried the reflection code I suggested?

It is possible to do group membership expansion programmaticall y, but it
seems like it would be better to try and get the built in stuff that already
supports this working.

Joe K.

"Sameh Ahmed" <es******@hotma il.com> wrote in message
news:Oy******** ******@TK2MSFTN GP09.phx.gbl...
Hello there
IsInrole gives ya the means to check if the current or impersonated user
belongs to a specific windows role or group.
is there a way to do the same without using ADSI to check if "domain\use r"
belongs to "domain\gro up"?
the reason is, when getting the "memberof" property of a user, then
checking if it contains the desired group or not.
this will only work if the user is a member of the group itself but not
when he is a member of a group that belongs to the designated group.
Do I make sense?
Regards
Sameh

Nov 21 '05 #2
The code you sent worked very good.
and in a domain environment the isinrole worked also very well.
I use it to make the decision if the current user (running the application)
has the right to be using it or the application should quit.
So for this part, it was solved and everything work in a very good way.
within the functionality of the application, I need to take a decision on
how to handle users depending on their group memberships, IE if the
"domain\use r" belongs to the group "domain\gro up" it should be dealt with in
the manner A, and if it belongs to the "domain\ano ther group" it should be
handled in the manner B.
do I need to check if the user belongs to a certain group or not (explicitly
or implicitly by belonging to a group that is a member of the
"domain\gro up")
Hope I made myself clear on that one.
thanks again.
Regards
Sameh
"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:%2******** **********@tk2m sftngp13.phx.gb l...
I still think you should be using WindowsPrincipa l::IsInRole. What
happened when you tried the reflection code I suggested?

It is possible to do group membership expansion programmaticall y, but it
seems like it would be better to try and get the built in stuff that
already supports this working.

Joe K.

"Sameh Ahmed" <es******@hotma il.com> wrote in message
news:Oy******** ******@TK2MSFTN GP09.phx.gbl...
Hello there
IsInrole gives ya the means to check if the current or impersonated user
belongs to a specific windows role or group.
is there a way to do the same without using ADSI to check if
"domain\use r" belongs to "domain\gro up"?
the reason is, when getting the "memberof" property of a user, then
checking if it contains the desired group or not.
this will only work if the user is a member of the group itself but not
when he is a member of a group that belongs to the designated group.
Do I make sense?
Regards
Sameh


Nov 21 '05 #3
IsInRole supports fully nested security group membership (assuming you are
on a 2000 native AD domain that supports nested groups). You don't have to
do anything extra to make this work.

Joe K.

"Sameh Ahmed" <es******@hotma il.com> wrote in message
news:%2******** **********@TK2M SFTNGP10.phx.gb l...
The code you sent worked very good.
and in a domain environment the isinrole worked also very well.
I use it to make the decision if the current user (running the
application) has the right to be using it or the application should quit.
So for this part, it was solved and everything work in a very good way.
within the functionality of the application, I need to take a decision on
how to handle users depending on their group memberships, IE if the
"domain\use r" belongs to the group "domain\gro up" it should be dealt with
in the manner A, and if it belongs to the "domain\ano ther group" it should
be handled in the manner B.
do I need to check if the user belongs to a certain group or not
(explicitly or implicitly by belonging to a group that is a member of the
"domain\gro up")
Hope I made myself clear on that one.
thanks again.
Regards
Sameh
"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:%2******** **********@tk2m sftngp13.phx.gb l...
I still think you should be using WindowsPrincipa l::IsInRole. What
happened when you tried the reflection code I suggested?

It is possible to do group membership expansion programmaticall y, but it
seems like it would be better to try and get the built in stuff that
already supports this working.

Joe K.

"Sameh Ahmed" <es******@hotma il.com> wrote in message
news:Oy******** ******@TK2MSFTN GP09.phx.gbl...
Hello there
IsInrole gives ya the means to check if the current or impersonated user
belongs to a specific windows role or group.
is there a way to do the same without using ADSI to check if
"domain\use r" belongs to "domain\gro up"?
the reason is, when getting the "memberof" property of a user, then
checking if it contains the desired group or not.
this will only work if the user is a member of the group itself but not
when he is a member of a group that belongs to the designated group.
Do I make sense?
Regards
Sameh



Nov 21 '05 #4
I need to specify a different use the one used to run the code

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:u1******** ******@tk2msftn gp13.phx.gbl...
IsInRole supports fully nested security group membership (assuming you are
on a 2000 native AD domain that supports nested groups). You don't have
to do anything extra to make this work.

Joe K.

"Sameh Ahmed" <es******@hotma il.com> wrote in message
news:%2******** **********@TK2M SFTNGP10.phx.gb l...
The code you sent worked very good.
and in a domain environment the isinrole worked also very well.
I use it to make the decision if the current user (running the
application) has the right to be using it or the application should quit.
So for this part, it was solved and everything work in a very good way.
within the functionality of the application, I need to take a decision on
how to handle users depending on their group memberships, IE if the
"domain\use r" belongs to the group "domain\gro up" it should be dealt with
in the manner A, and if it belongs to the "domain\ano ther group" it
should be handled in the manner B.
do I need to check if the user belongs to a certain group or not
(explicitly or implicitly by belonging to a group that is a member of the
"domain\gro up")
Hope I made myself clear on that one.
thanks again.
Regards
Sameh
"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com>
wrote in message news:%2******** **********@tk2m sftngp13.phx.gb l...
I still think you should be using WindowsPrincipa l::IsInRole. What
happened when you tried the reflection code I suggested?

It is possible to do group membership expansion programmaticall y, but it
seems like it would be better to try and get the built in stuff that
already supports this working.

Joe K.

"Sameh Ahmed" <es******@hotma il.com> wrote in message
news:Oy******** ******@TK2MSFTN GP09.phx.gbl...
Hello there
IsInrole gives ya the means to check if the current or impersonated
user belongs to a specific windows role or group.
is there a way to do the same without using ADSI to check if
"domain\use r" belongs to "domain\gro up"?
the reason is, when getting the "memberof" property of a user, then
checking if it contains the desired group or not.
this will only work if the user is a member of the group itself but not
when he is a member of a group that belongs to the designated group.
Do I make sense?
Regards
Sameh



Nov 21 '05 #5
So, you need to look up the group membership for a user that you don't have
a security token for? That is a little bit harder.

The absolute best way to deal with that situation is to use the protocol
transition (S4U) feature of Windows Server 2003 AD by creating a
WindowsIdentity for the use with their userPrincipalNa me. You don't need a
password for this. You get a lower privileged token, but you can still
create a WindowsPrincipa l that can be used for role checks.

If you don't have a native mode 2003 AD, then this problem is harder to deal
with. You'll probably need to do some directory services code to do the
group membership expansion (although the AzMan APIs may be an option as
well). The secret with LDAP calls is to use the tokenGroups attribute which
is a calculated attribute that contains the fully expanded security group
membership for the object.

Joe K.

"Sameh Ahmed" <es******@hotma il.com> wrote in message
news:uo******** ******@TK2MSFTN GP10.phx.gbl...
I need to specify a different use the one used to run the code

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:u1******** ******@tk2msftn gp13.phx.gbl...
IsInRole supports fully nested security group membership (assuming you
are on a 2000 native AD domain that supports nested groups). You don't
have to do anything extra to make this work.

Joe K.

Nov 21 '05 #6
unfortunately this is a 2000 Domain.
and tokenGroups on rarely mentioned on the MSDN, I will keep searching till
I get something useful on how to use that attribute.
Regards
Thanks Joe
"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:O7******** ******@tk2msftn gp13.phx.gbl...
So, you need to look up the group membership for a user that you don't
have a security token for? That is a little bit harder.

The absolute best way to deal with that situation is to use the protocol
transition (S4U) feature of Windows Server 2003 AD by creating a
WindowsIdentity for the use with their userPrincipalNa me. You don't need
a password for this. You get a lower privileged token, but you can still
create a WindowsPrincipa l that can be used for role checks.

If you don't have a native mode 2003 AD, then this problem is harder to
deal with. You'll probably need to do some directory services code to do
the group membership expansion (although the AzMan APIs may be an option
as well). The secret with LDAP calls is to use the tokenGroups attribute
which is a calculated attribute that contains the fully expanded security
group membership for the object.

Joe K.

"Sameh Ahmed" <es******@hotma il.com> wrote in message
news:uo******** ******@TK2MSFTN GP10.phx.gbl...
I need to specify a different use the one used to run the code

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com>
wrote in message news:u1******** ******@tk2msftn gp13.phx.gbl...
IsInRole supports fully nested security group membership (assuming you
are on a 2000 native AD domain that supports nested groups). You don't
have to do anything extra to make this work.

Joe K.


Nov 21 '05 #7
Here's a link to one S.DS sample I've posted. Google should turn up more
hits:

http://groups.google.com/groups?hl=e...TNGP12.phx.gbl

Joe K.

"Sameh Ahmed" <es******@hotma il.com> wrote in message
news:es******** ********@TK2MSF TNGP09.phx.gbl. ..
unfortunately this is a 2000 Domain.
and tokenGroups on rarely mentioned on the MSDN, I will keep searching
till I get something useful on how to use that attribute.
Regards
Thanks Joe

Nov 21 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1304
by: Mike Doanh Tran | last post by:
Hi all, Does anyone have any suggestion for converting a Sequel database to MYSQL? I just want to copy a Sequel database data to a Mysql one. Thanks in advance for any suggestion, Mike --
2
8169
by: innesm | last post by:
Hi, Although I havent been able to find any documentation to confirm it, it looks like any change to a windows local group's membership is only reflected in the group editing UI (and the command-line tool 'net localgroup'), and requires a full reboot of windows to take effect for any other applications. Can anyone confirm this, or explain why I am getting behaviour that gives this impression?
5
3010
by: Ian | last post by:
Can anyone give me advice on migrating my Access backend to sequel server? I am sure there are discussion groups and documentation for this but don't know where to look. I am looking for answers to general questions such as: Will my VBA still work? What is the migration procedure?
9
10855
by: Terry E Dow | last post by:
Howdy, I am having trouble with the objectCategory=group member.Count attribute. I get one of three counts, a number between 1-999, no member (does not contain member property), or 0. Using LDIFDE as a comparison I get the same results. No members means just that, an empty group. Zero means that the DirectorySearcher.SizeLimit has been exceeded....
0
1726
by: Kevin Waltman | last post by:
I am writing a client/server application that is using Remoting across TCP/IP. It does not use IIS or ASP in anyway. What I am looking to do is take the users WindowsIndentity from the remote machine client app and check it to see is it belongs to a group on the server running the server side app. The server is not the domain the server on the network. Just a standalone 2K Server. On the server I have a couple groups defined such as...
17
2695
by: TC | last post by:
In the past I always regarded user/group security as fairly tight. It is tricky to implement, but once implemented properly, it can't be cracked except through a dedicated effort. Recently, however, I saw something which greatly lowered my opinion of user/group security. I sent a secured database to a colleague. I forgot to send him the workgroup file, but that didn't slow him down at all. The next day, he sent me the work I had...
2
2764
by: Annie | last post by:
Hello guys, I have set the MEMBERSHIP, ROLEMANAGER and PROFILE in my config file as below. I just want to use my own sql server 2000 table instead of MSDB.
4
1477
by: Paul.Pucciarelli | last post by:
So I have some 'groups' which 'users' can join. There is no enrollment limit on these 'groups'. How should I store the list of users enrolled in the group? I'd like to be able to quickly determine the groups a user is in, and the users in a group. Seems like a common problem but I can't come up with an effecient solution.
1
1646
by: Troels Arvin | last post by:
Hello, Quoting http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/topic/ com.ibm.db2.luw.sql.ref.doc/doc/r0000935.html : Group privileges are not considered for any table or view specified in the CREATE VIEW statement. I discovered this today because a user complained that she couldn't create a simple view referring to a table to which she had all privileges.
0
9957
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9799
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
11173
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
10875
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10432
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9593
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7988
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5809
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
3
3245
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.