-
Jul 10th, 2006, 04:55 PM
#1
Thread Starter
Addicted Member
Check if user is a member of an Active Directory Group
With the help of some threads in this forum, I was able to put this together.
This is a function that you pass it the username and the AD group. If it finds a match, it returns true, else false. That way you can control what users can see on the webpage based on their AD rights.
To use the code below, you must be able to get the username. I believe you need to turn of anonymous access on the virtual directory, via mycomputer, right-click, manage, default website etc.
Add this to your webconfig file....
Code:
<identity impersonate="true" />
And call something like....
dim NTLogin as string = Replace(Environment.UserName, "Mydomain\", "")
To remove the domain name. If you still have problems getting the username, there are many threads in this forum that assist with that.
Okay, Here is the function for checking if a user is a member of an AD group.
Please post questions, concerns, comments, suggestions, etc.
VB Code:
Public Function Check_If_Member_Of_AD_Group(ByVal username As String, _
ByVal grouptoCheck As String, _
ByVal domain As String, _
ByVal ADlogin As String, _
ByVal ADpassword As String) _
As Boolean
'This is a function that receives a username to see if it's a
'member of a specific group in AD.
Try
'First let's put the whole thing in a nice big try catch, and
'catch any errors.
Dim EntryString As String
EntryString = "LDAP://" & domain
'Above, we setup the LDAP basic entry string.
Dim myDE As DirectoryEntry
'Above, I dimension my DirectoryEntry object
grouptoCheck = grouptoCheck.ToLower()
'The groups returned may have different combinations of
'lowercase and uppercase, so let's go ahead
'and make grouptoCheck lowercase.
If (ADlogin <> "" AndAlso ADpassword <> "") Then
'If they provided a password, then add it
'as an argument to the function
'I recently learned about AndAlso, and it's pretty
'cool. Basically it does not worry about checking
'the next condition if the first one is not true.
myDE = New DirectoryEntry(EntryString, ADlogin, ADpassword)
'Above, we create a new instance of the Directory Entry
'Includes login and password
Else
'Else, use the account credentials of the machine
'making the request. You might not be able to get
'away with this if your production server does not have
'rights to query Active Directory.
'Then again, there are workarounds for anything.
myDE = New DirectoryEntry(EntryString)
'Above, we create a new instance of the Directory Entry
'Does not include login and password
End If
Dim myDirectorySearcher As New DirectorySearcher(myDE)
'Above we create new instance of a DirectorySearcher
'We also specify the Directory Entry as an argument.
myDirectorySearcher.Filter = "sAMAccountName=" & username
'Above we specify to filter our results where
'sAMAccountName is equal to our username passed in.
myDirectorySearcher.PropertiesToLoad.Add("MemberOf")
'We only care about the MemberOf Properties, and we
'specify that above.
Dim myresult As SearchResult = myDirectorySearcher.FindOne()
'SearchResult is a node in Active Directory that is returned
'during a search through System.DirectoryServices.DirectorySearcher
'Above, we dim a myresult object, and assign a node returned
'from myDirectorySearcher.FindOne()
'I've never heard of similar login Id's in Active Directory,
'so I don't think we need to call FindAll(), so Instead
'we call FindOne()
Dim NumberOfGroups As Integer
NumberOfGroups = myresult.Properties("memberOf").Count() - 1
'Above we get the number of groups the user is a memberOf,
'and store it in a variable. It is zero indexed, so we
'remove 1 so we can loop through it.
Dim tempString As String
'A temp string that we will use to get only what we
'need from the MemberOf string property
While (NumberOfGroups >= 0)
tempString = myresult.Properties("MemberOf").Item(NumberOfGroups)
tempString = tempString.Substring(0, tempString.IndexOf(",", 0))
'Above we set tempString to the first index of "," starting
'from the zeroth element of itself.
tempString = tempString.Replace("CN=", "")
'Above, we remove the "CN=" from the beginning of the string
tempString = tempString.ToLower() 'Lets make all letters lowercase
tempString = tempString.Trim()
'Finnally, we trim any blank characters from the edges
If (grouptoCheck = tempString) Then
Return True
End If
'If we have a match, the return is true
'username is a member of grouptoCheck
NumberOfGroups = NumberOfGroups - 1
End While
'If the code reaches here, there was no match.
'Return false
Return False
Catch ex As Exception
HttpContext.Current.Response.Write("Error: <br><br>" & ex.ToString)
End Try
End Function
Last edited by silentthread; Jul 10th, 2006 at 05:18 PM.
-
Jul 11th, 2006, 09:41 PM
#2
Thread Starter
Addicted Member
Re: Check if user is a member of an Active Directory Group
I want to mention that a buddy of mine mentioned to me that this function does not search for nested group memberships. If you want to tackle that one, then go for it.
If I ever need something like that, then I will put something together.
Last edited by silentthread; Jul 21st, 2006 at 08:08 PM.
-
Jul 21st, 2006, 08:06 PM
#3
Thread Starter
Addicted Member
Re: Check if user is a member of an Active Directory Group
2 things to note.......
a- If you are placing this on a production asp.net server, you will need to provide the LDAP account in the following fashion.....
mydomainblablah\bubbasLDAP_account
The prefixing of the domain is not important on your localhost though.
b- If you need to search nested group memberships, this can really beat up your asp.net server. We recently created an app that copies all the information from active directory into a SQL database. This copying happens automatically everynight.
This method of querying nested group memberships from a SQL database has drastically increased our web applications performance.
-
Jan 25th, 2008, 10:57 AM
#4
PowerPoster
Re: Check if user is a member of an Active Directory Group
hi silentthread and sorry me..
But this code is in VB.net?
I need a similar code to check if member is in group but in vb classic, have one?
Tks.
-
Jan 26th, 2008, 02:37 PM
#5
Thread Starter
Addicted Member
Re: Check if user is a member of an Active Directory Group
It should not be too hard. Sorry, I don't have that handy. You might want to look for sites like this one.....
http://labs.developerfusion.co.uk/co...to-csharp.aspx
in which they convert to different languages. I doubt though that someone will have a vb.net to vb code converter.
-
Aug 8th, 2008, 12:39 PM
#6
New Member
Re: Check if user is a member of an Active Directory Group
Originally Posted by silentthread
2 things to note.......
a- If you are placing this on a production asp.net server, you will need to provide the LDAP account in the following fashion.....
mydomainblablah\bubbasLDAP_account
The prefixing of the domain is not important on your localhost though.
b- If you need to search nested group memberships, this can really beat up your asp.net server. We recently created an app that copies all the information from active directory into a SQL database. This copying happens automatically everynight.
This method of querying nested group memberships from a SQL database has drastically increased our web applications performance.
Can you reference some resources on how you copied AD to SQL? I'd be interested in pursuing this.
-
Sep 7th, 2010, 09:16 AM
#7
New Member
Re: Check if user is a member of an Active Directory Group
Originally Posted by jrhyne2584
Can you reference some resources on how you copied AD to SQL? chat room software I'd be interested in pursuing this.
there is a tool coming along with sql management studio (import/export data), you can use it to transfer database from any regular format to sql
Last edited by zurab0274; Sep 8th, 2010 at 11:11 AM.
-
Dec 23rd, 2011, 04:37 PM
#8
New Member
Re: Check if user is a member of an Active Directory Group
Thank you silentthread.
Its helps me a lot. I needed the function in C#, so I translate it. Think I could post this here, beside it is a VB forum.
Code:
public Boolean Check_If_Member_Of_AD_Group(String username, String grouptoCheck, String domain, String ADlogin, String ADpassword)
{
//This is a function that receives a username to see if it's a
//member of a specific group in AD.
try
{
//'First let's put the whole thing in a nice big try catch, and
//'catch any errors.
String EntryString;
EntryString = "LDAP://" + domain;
//'Above, we setup the LDAP basic entry string.
DirectoryEntry myDE;
//'Above, I dimension my DirectoryEntry object
grouptoCheck = grouptoCheck.ToLower();
//'The groups returned may have different combinations of
//'lowercase and uppercase, so let's go ahead
//'and make grouptoCheck lowercase.
if (ADlogin != "" && ADpassword != "")
{
//'If they provided a password, then add it
//'as an argument to the function
//'I recently learned about AndAlso, and it's pretty
//'cool. Basically it does not worry about checking
//'the next condition if the first one is not true.
myDE = new DirectoryEntry(EntryString, ADlogin, ADpassword);
//'Above, we create a new instance of the Directory Entry
//'Includes login and password
}
else
{
//'Else, use the account credentials of the machine
//'making the request. You might not be able to get
//'away with this if your production server does not have
//'rights to query Active Directory.
//'Then again, there are workarounds for anything.
myDE = new DirectoryEntry(EntryString);
//'Above, we create a new instance of the Directory Entry
//'Does not include login and password
}
DirectorySearcher myDirectorySearcher = new DirectorySearcher(myDE);
//'Above we create new instance of a DirectorySearcher
//'We also specify the Directory Entry as an argument.
myDirectorySearcher.Filter = "sAMAccountName=" + username;
//'Above we specify to filter our results where
//'sAMAccountName is equal to our username passed in.
myDirectorySearcher.PropertiesToLoad.Add("MemberOf");
myDirectorySearcher.PropertiesToLoad.Add("Name");
//'We only care about the MemberOf Properties, and we
//'specify that above.
SearchResult myresult = myDirectorySearcher.FindOne();
//'SearchResult is a node in Active Directory that is returned
//'during a search through System.DirectoryServices.DirectorySearcher
//'Above, we dim a myresult object, and assign a node returned
//'from myDirectorySearcher.FindOne()
//'I've never heard of similar login Id's in Active Directory,
//'so I don't think we need to call FindAll(), so Instead
//'we call FindOne()
if(myresult.Properties["Name"].Count > 0)
{
loggedName = myresult.Properties["Name"][0].ToString();
}
Int32 NumberOfGroups;
NumberOfGroups = myresult.Properties["memberOf"].Count - 1;
//'Above we get the number of groups the user is a memberOf,
//'and store it in a variable. It is zero indexed, so we
//'remove 1 so we can loop through it.
String tempString;
//'A temp string that we will use to get only what we
//'need from the MemberOf string property
while (NumberOfGroups >= 0)
{
tempString = myresult.Properties["MemberOf"][NumberOfGroups].ToString();
tempString = tempString.Substring(0, tempString.IndexOf(",", 0));
//'Above we set tempString to the first index of "," starting
//'from the zeroth element of itself.
tempString = tempString.Replace("CN=", "");
//'Above, we remove the "CN=" from the beginning of the string
tempString = tempString.ToLower(); //'Lets make all letters lowercase
tempString = tempString.Trim();
//'Finnally, we trim any blank characters from the edges
if (grouptoCheck == tempString)
{
return true;
}
//'If we have a match, the return is true
//'username is a member of grouptoCheck
NumberOfGroups = NumberOfGroups - 1;
}
//'If the code reaches here, there was no match.
//'Return false
return false;
}
catch (Exception ex)
{
HttpContext.Current.Response.Write("Error: <br><br>" + ex.ToString());
}
return false;
}
Tks again.
Hernandes Moreira
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|