|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
ActiveDirectory group membership in offline profileI have written an application in which I am using AD groups to set the program permissions. sample code: System.Security.Principal.WindowsIdentity ident = System.Security.Principal.WindowsIdentity.GetCurrent(); System.Security.Principal.WindowsPrincipal prin = new System.Security.Principal.WindowsPrincipal(ident); System.Threading.Thread.CurrentPrincipal = prin; if (prin.IsInRole(@"domain\group")) { btnUpdate.Visible = true; } when the user is not connected to the network, it is possible to log on because of the user offline profile. but than the code doesn't work. because the user has no memberships. I thougth the group membership will be stored in the offline user profile too. what can i do to solve that problem? thx for help. Tim Hi,
you only have SIDs, no group names - you can easily check that with: whoami /groups you will see local groups and SIDs for domain groups --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi > > I have written an application in which I am using AD groups to set the > program permissions. > > sample code: > System.Security.Principal.WindowsIdentity ident = > System.Security.Principal.WindowsIdentity.GetCurrent(); > System.Security.Principal.WindowsPrincipal prin = new > System.Security.Principal.WindowsPrincipal(ident); > System.Threading.Thread.CurrentPrincipal = prin; > if (prin.IsInRole(@"domain\group")) > { > btnUpdate.Visible = true; > } > > when the user is not connected to the network, it is possible to log > on because of the user offline profile. > > but than the code doesn't work. because the user has no memberships. I > thougth the group membership will be stored in the offline user > profile too. > > what can i do to solve that problem? > > thx for help. > > Tim > Hi
thx. i tried that, when i do that offline and get the sids this the additional parameter /all but when i test the code with the sid instead of the name of of the group it doesn't work, too. Dominick Baier schrieb: Show quoteHide quote > Hi, > > you only have SIDs, no group names - you can easily check that with: > > whoami /groups > > you will see local groups > and SIDs for domain groups > > --- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > Hi > > > > I have written an application in which I am using AD groups to set the > > program permissions. > > > > sample code: > > System.Security.Principal.WindowsIdentity ident = > > System.Security.Principal.WindowsIdentity.GetCurrent(); > > System.Security.Principal.WindowsPrincipal prin = new > > System.Security.Principal.WindowsPrincipal(ident); > > System.Threading.Thread.CurrentPrincipal = prin; > > if (prin.IsInRole(@"domain\group")) > > { > > btnUpdate.Visible = true; > > } > > > > when the user is not connected to the network, it is possible to log > > on because of the user offline profile. > > > > but than the code doesn't work. because the user has no memberships. I > > thougth the group membership will be stored in the offline user > > profile too. > > > > what can i do to solve that problem? > > > > thx for help. > > > > Tim > > of course - you cannot pass in the sid string directly to IsInRole
try this: static void Main(string[] args) { WindowsIdentity id = WindowsIdentity.GetCurrent(); foreach (IdentityReference group in id.Groups) { Console.WriteLine(group.Value); } WindowsPrincipal p = new WindowsPrincipal(id); SecurityIdentifier sid = new SecurityIdentifier("some domain SID shown by whoami"); if (p.IsInRole(sid)) Console.WriteLine("OK"); } --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi > > thx. > > i tried that, when i do that offline and get the sids this the > additional parameter /all > > but when i test the code with the sid instead of the name of of the > group it doesn't work, too. > > Dominick Baier schrieb: > >> Hi, >> >> you only have SIDs, no group names - you can easily check that with: >> >> whoami /groups >> >> you will see local groups >> and SIDs for domain groups >> --- >> Dominick Baier, DevelopMentor >> http://www.leastprivilege.com >>> Hi >>> >>> I have written an application in which I am using AD groups to set >>> the program permissions. >>> >>> sample code: >>> System.Security.Principal.WindowsIdentity ident = >>> System.Security.Principal.WindowsIdentity.GetCurrent(); >>> System.Security.Principal.WindowsPrincipal prin = new >>> System.Security.Principal.WindowsPrincipal(ident); >>> System.Threading.Thread.CurrentPrincipal = prin; >>> if (prin.IsInRole(@"domain\group")) >>> { >>> btnUpdate.Visible = true; >>> } >>> when the user is not connected to the network, it is possible to log >>> on because of the user offline profile. >>> >>> but than the code doesn't work. because the user has no memberships. >>> I thougth the group membership will be stored in the offline user >>> profile too. >>> >>> what can i do to solve that problem? >>> >>> thx for help. >>> >>> Tim >>> Hi
i tried it by my own and find out, that in c# 1.1 it is not possible to pass a SecurityIdentifier. in c# 2 it go's! thx for help! Dominick Baier schrieb: Show quoteHide quote > of course - you cannot pass in the sid string directly to IsInRole > > try this: > > static void Main(string[] args) > { > WindowsIdentity id = WindowsIdentity.GetCurrent(); > foreach (IdentityReference group in id.Groups) > { > Console.WriteLine(group.Value); > } > > WindowsPrincipal p = new WindowsPrincipal(id); > > SecurityIdentifier sid = new SecurityIdentifier("some domain > SID shown by whoami"); > > if (p.IsInRole(sid)) > Console.WriteLine("OK"); > } > > --- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > Hi > > > > thx. > > > > i tried that, when i do that offline and get the sids this the > > additional parameter /all > > > > but when i test the code with the sid instead of the name of of the > > group it doesn't work, too. > > > > Dominick Baier schrieb: > > > >> Hi, > >> > >> you only have SIDs, no group names - you can easily check that with: > >> > >> whoami /groups > >> > >> you will see local groups > >> and SIDs for domain groups > >> --- > >> Dominick Baier, DevelopMentor > >> http://www.leastprivilege.com > >>> Hi > >>> > >>> I have written an application in which I am using AD groups to set > >>> the program permissions. > >>> > >>> sample code: > >>> System.Security.Principal.WindowsIdentity ident = > >>> System.Security.Principal.WindowsIdentity.GetCurrent(); > >>> System.Security.Principal.WindowsPrincipal prin = new > >>> System.Security.Principal.WindowsPrincipal(ident); > >>> System.Threading.Thread.CurrentPrincipal = prin; > >>> if (prin.IsInRole(@"domain\group")) > >>> { > >>> btnUpdate.Visible = true; > >>> } > >>> when the user is not connected to the network, it is possible to log > >>> on because of the user offline profile. > >>> > >>> but than the code doesn't work. because the user has no memberships. > >>> I thougth the group membership will be stored in the offline user > >>> profile too. > >>> > >>> what can i do to solve that problem? > >>> > >>> thx for help. > >>> > >>> Tim > >>> Hi
i tried it by my own and find out, that in c# 1.1 it is not possible to pass a SecurityIdentifier. in c# 2 it work's! thx for help! Dominick Baier schrieb: Show quoteHide quote > of course - you cannot pass in the sid string directly to IsInRole > > try this: > > static void Main(string[] args) > { > WindowsIdentity id = WindowsIdentity.GetCurrent(); > foreach (IdentityReference group in id.Groups) > { > Console.WriteLine(group.Value); > } > > WindowsPrincipal p = new WindowsPrincipal(id); > > SecurityIdentifier sid = new SecurityIdentifier("some domain > SID shown by whoami"); > > if (p.IsInRole(sid)) > Console.WriteLine("OK"); > } > > --- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > Hi > > > > thx. > > > > i tried that, when i do that offline and get the sids this the > > additional parameter /all > > > > but when i test the code with the sid instead of the name of of the > > group it doesn't work, too. > > > > Dominick Baier schrieb: > > > >> Hi, > >> > >> you only have SIDs, no group names - you can easily check that with: > >> > >> whoami /groups > >> > >> you will see local groups > >> and SIDs for domain groups > >> --- > >> Dominick Baier, DevelopMentor > >> http://www.leastprivilege.com > >>> Hi > >>> > >>> I have written an application in which I am using AD groups to set > >>> the program permissions. > >>> > >>> sample code: > >>> System.Security.Principal.WindowsIdentity ident = > >>> System.Security.Principal.WindowsIdentity.GetCurrent(); > >>> System.Security.Principal.WindowsPrincipal prin = new > >>> System.Security.Principal.WindowsPrincipal(ident); > >>> System.Threading.Thread.CurrentPrincipal = prin; > >>> if (prin.IsInRole(@"domain\group")) > >>> { > >>> btnUpdate.Visible = true; > >>> } > >>> when the user is not connected to the network, it is possible to log > >>> on because of the user offline profile. > >>> > >>> but than the code doesn't work. because the user has no memberships. > >>> I thougth the group membership will be stored in the offline user > >>> profile too. > >>> > >>> what can i do to solve that problem? > >>> > >>> thx for help. > >>> > >>> Tim > >>> 
Other interesting topics
Creating MSI for installing .NET security policies
Help me to understand Code Access Security. I don't get it. Help me to understand ?? Effective FileSystemRights for a WindowsIdentity??? The remote server returned an error: (403) Forbidden in webrequest Which encryption type ???? CAS and Strong Named EntLib 2.0 Assemblies Any Obfuscator can hide the Key & iv? Why am I not trusted? IL code fails with VerificationException |
|||||||||||||||||||||||
