User Management with Active Directory—Determining User Group Membership in Active Directory and ADAM

CSharp-Online.NET:Articles

C# Articles

User Management Finding Users Finding ADAM Users Creating Users Manage User Accounts § Active Directory Passwords § ADAM Passwords ADAM Passwords Diffs. User Group Membership § Retrieve Token Groups Using an LDAP Search Using DsCrackNames Using SidIdentifier Retrieving tokenGroups Summary

© 2006 Pearson Education, Inc.

Determining User Group Membership in Active Directory and ADAM

We often need to know a user’s group membership, especially when building applications that require role-based security. There are many cases when we cannot simply rely on Windows to do this expansion for us, and we need an LDAP-based approach instead. Unfortunately, many samples that attempt to show how to do this miss important details or make key mistakes that can lead to compromised security in our applications. We attempt to right these wrongs and show some proven techniques that have been effective for us.

Two linked multivalued attributes, called member and memberOf, control group membership. The group object always holds the member attribute. The memberOf attribute is a calculated back link held on the group member object itself. As such, group membership is always managed from the group object side (the forward link) of the relationship and the back link is updated by the system automatically. That is, we can read the memberOf attribute, but we cannot modify it directly. This multivalued attribute contains the user’s direct group membership, with one exception: It does not contain what is called the primary group. This group receives special treatment, and we cover how to read it in the next chapter.

When we say that the memberOf attribute contains the user’s direct membership, we mean that while we can view groups that directly contain the user object, we cannot view any group membership that is derived from the nesting of group memberships. We will have to use either a recursive technique or the tokenGroups attribute to expand a user’s membership fully.

It turns out that using the tokenGroups attribute is typically what we are after. This attribute holds a security identifier (SID) for each security group (including the aforementioned primary group) for which the user is a member, including nested group membership. Recursive solutions can often be a little messy. As such, the only advantage that the recursive technique holds is that it will expand group membership in distribution lists, while the tokenGroups attribute contains only security group membership.

We will cover three techniques for reading group membership using the tokenGroups attribute. The first technique will use an LDAP search to find each SID in the tokenGroups attribute, and the second technique will use the DsCrackNames API to convert them in a single batch. The third technique will be a .NET 2.0-only solution using the new IdentityReference-based classes.

Our ultimate goal will be to convert the tokenGroups attribute into a collection of human-readable group names. A typical example of this is to build a GenericPrincipal object and fill it with roles for a custom ASP.NET Forms authentication mechanism.