Share via

Getting nested groups from user

George Waters 21 Reputation points
2024-03-15T00:28:55.87+00:00

Hello,

I have been using advapi32.dll to check if a user is member of a group, using the function LookupAccountName and CheckTokenMembership, so far it works fine, but only if the user has a direct membership on the group, this is:

  • ParentGroup (Returns false)
  • ----ChildGroup (Returns true)
  • --------User (membership of ChildGroup)

So even when user is part of ParentGroup, it returns false.

Is there a way to query Global Catalog (GC://domain) and get direct and indirect memberships or any API that does the job?

Thank you,

George

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,648 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,244 questions
0 comments
Accepted answer
  1. Jiale Xue - MSFT 43,046 Reputation points Microsoft Vendor
    2024-03-15T08:05:56.67+00:00

    Hi @George Waters , Welcome to Microsoft Q&A,

    I'm not an expert on Active Directory.

    Maybe you could use the classes in the System.DirectoryServices.AccountManagement namespace to query the global directory and get the direct and indirect membership of a user. Specifically, you can use the PrincipalContext and GroupPrincipal classes to do this.

    The GetAuthorizationGroups() method returns all the user's authorization groups, including direct and indirect membership, which you can use for further judgment.

    using System;
using System.DirectoryServices.AccountManagement;

namespace xxx
{
     internal class Program
     {
         static void Main(string[] args)
         {
             // Assuming you already have the user's username and domain
             string username = "username";
             string domain = "yourdomain.com";

             // Establish a PrincipalContext connected to the domain
             using (PrincipalContext context = new PrincipalContext(ContextType.Domain, domain))
             {
                 // Find user object
                 UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username);

                 if (user != null)
                 {
                     // Determine whether the user has permissions
                     bool hasPermission = HasPermission(user);

                     if(hasPermission)
                     {
                         Console.WriteLine("The user has permission.");
                     }
                     else
                     {
                         Console.WriteLine("The user does not have permission.");
                     }
                 }
                 else
                 {
                     Console.WriteLine("User not found.");
                 }
             }
         }
         // Determine whether the user has permissions

         static bool HasPermission(UserPrincipal user)
         {
             // Get all authorization groups of the user
             PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();

             // Check here if the group has permissions, here is just an example
             foreach (GroupPrincipal group in groups)
             {
                 if (group.Name == "Group with permissions")
                 {
                     return true;
                 }
             }

             return false;
         }
     }
}

    Best Regards,

    Jiale

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest