Getting nested groups from user

George Waters 21 Reputation points
2024-03-15T00:28:55.87+00:00

Hello,

I have been using advapi32.dll to check if a user is member of a group, using the function LookupAccountName and CheckTokenMembership, so far it works fine, but only if the user has a direct membership on the group, this is:

  • ParentGroup (Returns false)
  • ----ChildGroup (Returns true)
  • --------User (membership of ChildGroup)

So even when user is part of ParentGroup, it returns false.

Is there a way to query Global Catalog (GC://domain) and get direct and indirect memberships or any API that does the job?

Thank you,

George

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,980 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,724 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jiale Xue - MSFT 47,661 Reputation points Microsoft Vendor
    2024-03-15T08:05:56.67+00:00

    Hi @George Waters , Welcome to Microsoft Q&A,

    I'm not an expert on Active Directory.

    Maybe you could use the classes in the System.DirectoryServices.AccountManagement namespace to query the global directory and get the direct and indirect membership of a user. Specifically, you can use the PrincipalContext and GroupPrincipal classes to do this.

    The GetAuthorizationGroups() method returns all the user's authorization groups, including direct and indirect membership, which you can use for further judgment.

    using System;
    using System.DirectoryServices.AccountManagement;
    
    namespace xxx
    {
         internal class Program
         {
             static void Main(string[] args)
             {
                 // Assuming you already have the user's username and domain
                 string username = "username";
                 string domain = "yourdomain.com";
    
                 // Establish a PrincipalContext connected to the domain
                 using (PrincipalContext context = new PrincipalContext(ContextType.Domain, domain))
                 {
                     // Find user object
                     UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username);
    
                     if (user != null)
                     {
                         // Determine whether the user has permissions
                         bool hasPermission = HasPermission(user);
    
                         if(hasPermission)
                         {
                             Console.WriteLine("The user has permission.");
                         }
                         else
                         {
                             Console.WriteLine("The user does not have permission.");
                         }
                     }
                     else
                     {
                         Console.WriteLine("User not found.");
                     }
                 }
             }
             // Determine whether the user has permissions
    
             static bool HasPermission(UserPrincipal user)
             {
                 // Get all authorization groups of the user
                 PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();
    
                 // Check here if the group has permissions, here is just an example
                 foreach (GroupPrincipal group in groups)
                 {
                     if (group.Name == "Group with permissions")
                     {
                         return true;
                     }
                 }
    
                 return false;
             }
         }
    }
    

    Best Regards,

    Jiale


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.