Checking if User is in Role

[mc]

I would like to check if a user is currently a member of a Local Group on the server. I am able to
do the test for the current user and all is ok, however I would like to be able to take a list of
users from a table in the database and check if the user is in the specified group. is it possible
to take a username (as a string) and create an instance of IPricipal for that user? or achive by any
other method?

Regards


MC

 

[Guest]

I would like to check if a user is currently a member of a Local Group on
the server. I am able to do the test for the current user and all is ok,
however I would like to be able to take a list of users from a table in the
database and check if the user is in the specified group. is it possible to
take a username (as a string) and create an instance of IPricipal for that
user? or achive by any other method?

The following code returned true if UserName is a member of a Power Users
group.
DirectoryEntry entryRoot = new DirectoryEntry("WinNT://" +
Environment.MachineName + ",computer",
Environment.MachineName +"\\" + SuperUserName, SuperUserPassword,
System.DirectoryServices.AuthenticationTypes.ReadonlyServer);
DirectoryEntry userEntry = entryRoot.Children.Find(UserName, "user");
DirectoryEntry objGroup = entryRoot.Children.Find("Power Users", "group");
bool isMember = (bool)objGroup.Invoke("IsMember", new object[] {
userEntry.Path.ToString() });

SuperUserName is a local user

 

[Steven Cheng[MSFT]]

Hi MC,

As Alexey has suggested, if you do not have the full credentials of a user
account, y ou may try using ADSI to query the user groups. Or if the server
is in a windows 2003 domain, you can also have a look at the S4U based
kerberos authentication which allow the server to construct a windows token
based on the user principal name(rather than full username/password
credentials):

#Exploring S4U Kerberos Extensions in Windows Server 2003
http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[mc]

When I try and use the S4U solution I get some error about no active logon session and the ADSI
approach didn't seem very obvious either, I have no time to investigate this properly as it's only a
"Nice to Have" requirement. I might reconsider getting this working at a later date. (if time permits)

Thanks for you assistance.


MC

 

[Guest]

When I try and use the S4U solution I get some error about no active logon session and the ADSI
approach didn't seem very obvious either, I have no time to investigate this properly as it's only a
"Nice to Have" requirement. I might reconsider getting this working at a later date. (if time permits)

Do you mean that the code above is not working?

 

[mc]

Do you mean that the code above is not working?

It is not possible to store the Super User Password in the Code, therefore I don't think I would be
able to use the approach you offered.

Regards


MC

 

[Guest]

It is not possible to store the Super User Password in the Code, therefore I don't think I would be
able to use the approach you offered.

Regards

MC

It can be configured in the web.config

Another way I know is a good old COM+ that you can run with a fixed
identity.