|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Hierarchical (nested) group membership
Hello!
I have a question about discover (for instance in C#) the groups a user belongs to, when there is a hierarchy of nested group. Let's say User is member of Group_A and Group_A is member of Group_B. Is there a direct way to find out that User actually belongs both to Group_A and Group_B? It seems that I can discocover just the "first level membership". Do I have to implement on my own an "in-depth discovery"? Thanks a lot! "filcap" <fil***@discussions.microsoft.com> wrote in message You can code a recursive method to reveal nested group membership. Enumerate news:D4645050-FC32-4E97-BB56-25D95C18CB1F@microsoft.com... > Hello! > I have a question about discover (for instance in C#) the groups a user > belongs to, when there is a hierarchy of nested group. > Let's say User is member of Group_A and Group_A is member of Group_B. > Is there a direct way to find out that User actually belongs both to > Group_A > and Group_B? > It seems that I can discocover just the "first level membership". > Do I have to implement on my own an "in-depth discovery"? > Thanks a lot! the groups the user is a direct member of, then for each group enumerate the groups they are members of recursively. This will not reveal membership in the "primary" group of the user. Or, you can enumerate the tokenGroups attribute. This multivalued attribute is a collection of the SID's (objectSid values) of the security groups the user is a member of, including all memberships due to nesting and the "primary" group. The trick is to handle each objectSID, which is a byte array, convert to a hex string, and bind to the group object to determine the group name. This method also does not reveal membership in distribution groups, but no recursion is needed. Finally, one gotcha to avoid with the recursive technique. It is possible for the group nesting to be circular. I've seen several cases where people reported this. For example, Group_A is a member of Group_B, Group_B is a member of Group_C, and Group_C is a member of Group_A. Unless you account for this you can get caught in an infinite loop. You can use a dictionary object. If the group is not in the dictionary object, add it and enumerate the members. Otherwise the group is a duplicate so skip. In addition to what Richard says, our book includes several samples at the
end of chapter 10 that show how to do group membership expansion for users using the tokenGroups attribute in C# (and VB.NET on the website). You can download the complete ch. 10 and the code samples from our book's web site which is linked in my signature. Joe K. -- Show quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in message news:%23LQnH6cMIHA.484@TK2MSFTNGP06.phx.gbl... > > "filcap" <fil***@discussions.microsoft.com> wrote in message > news:D4645050-FC32-4E97-BB56-25D95C18CB1F@microsoft.com... >> Hello! >> I have a question about discover (for instance in C#) the groups a user >> belongs to, when there is a hierarchy of nested group. >> Let's say User is member of Group_A and Group_A is member of Group_B. >> Is there a direct way to find out that User actually belongs both to >> Group_A >> and Group_B? >> It seems that I can discocover just the "first level membership". >> Do I have to implement on my own an "in-depth discovery"? >> Thanks a lot! > > You can code a recursive method to reveal nested group membership. > Enumerate the groups the user is a direct member of, then for each group > enumerate the groups they are members of recursively. This will not reveal > membership in the "primary" group of the user. > > Or, you can enumerate the tokenGroups attribute. This multivalued > attribute is a collection of the SID's (objectSid values) of the security > groups the user is a member of, including all memberships due to nesting > and the "primary" group. The trick is to handle each objectSID, which is a > byte array, convert to a hex string, and bind to the group object to > determine the group name. This method also does not reveal membership in > distribution groups, but no recursion is needed. > > Finally, one gotcha to avoid with the recursive technique. It is possible > for the group nesting to be circular. I've seen several cases where people > reported this. For example, Group_A is a member of Group_B, Group_B is a > member of Group_C, and Group_C is a member of Group_A. Unless you account > for this you can get caught in an infinite loop. You can use a dictionary > object. If the group is not in the dictionary object, add it and enumerate > the members. Otherwise the group is a duplicate so skip. > > -- > Richard Mueller > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net > -- > > Thankyou very much to Richard and Joe for their contribution.
Actually I was thinking about the recursive approach when I said "in-depth discovery". I think tomorrow I will try with the tockenGroups attribute, with the help of Joe's book!! Thanks a lot!!  |
|||||||||||||||||||||||
Other interesting topics