So, you need to look up the group membership for a user that you don't have
a security token for? That is a little bit harder.
The absolute best way to deal with that situation is to use the protocol
transition (S4U) feature of Windows Server 2003 AD by creating a
WindowsIdentity for the use with their userPrincipalName. You don't need a
password for this. You get a lower privileged token, but you can still
create a WindowsPrincipal that can be used for role checks.
If you don't have a native mode 2003 AD, then this problem is harder to deal
with. You'll probably need to do some directory services code to do the
group membership expansion (although the AzMan APIs may be an option as
well). The secret with LDAP calls is to use the tokenGroups attribute which
is a calculated attribute that contains the fully expanded security group
membership for the object.
Joe K.
"Sameh Ahmed" <es******@hotmail.com> wrote in message
news:uo**************@TK2MSFTNGP10.phx.gbl...
I need to specify a different use the one used to run the code
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:u1**************@tk2msftngp13.phx.gbl... IsInRole supports fully nested security group membership (assuming you
are on a 2000 native AD domain that supports nested groups). You don't
have to do anything extra to make this work.
Joe K.