|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How do I check for domain group membership?"GTI.int". I have several Universal security groups named "ILF_x", one of which is "ILF_Installer" and I have made myself a member of that group for development. There are arrays of security group names associated with menu items along with other things that should be enabled or disabled based on security group membership, though my example code only uses the one group "ILF_Installer" for testing. I need a method that will iterate the array of acceptable security group names and return true if the current user is a member of at least one group, or false otherwise. I have tried the below listed code without success to test for my membership in the "ILF_Installer" group. As always, any help would be greatly appreciated. --------------------- SNIP -------------------------------------------------------------- AppDomain myDomain = Thread.GetDomain(); myDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal; Console.WriteLine("Principle:" + prin.Identity.Name); // The preceding line correctly displays GTI\MyUserName if ( prin.IsInRole("ILF_Installer") ) Console.WriteLine("ILF_Installer"); // The preceding block does NOT display "ILF_Installer" as desired. -------------------------------- SNIP ------------------------------------------ Hello Byron,
you have to use the fully qualified group name - which is DOMAIN\GroupName --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > I have a WinForm app that will run on XP boxes in a Win2003 AD domain > named "GTI.int". I have several Universal security groups named > "ILF_x", one of which is "ILF_Installer" and I have made myself a > member of that group for development. There are arrays of security > group names associated with menu items along with other things that > should be enabled or disabled based on security group membership, > though my example code only uses the one group "ILF_Installer" for > testing. I need a method that will iterate the array of acceptable > security group names and return true if the current user is a member > of at least one group, or false otherwise. > > I have tried the below listed code without success to test for my > membership in the "ILF_Installer" group. > > As always, any help would be greatly appreciated. > > --------------------- SNIP > -------------------------------------------------------------- > AppDomain myDomain = Thread.GetDomain(); > myDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); > WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal; > > Console.WriteLine("Principle:" + prin.Identity.Name); > > // The preceding line correctly displays GTI\MyUserName > > if ( prin.IsInRole("ILF_Installer") ) > Console.WriteLine("ILF_Installer"); > // The preceding block does NOT display "ILF_Installer" as desired. > -------------------------------- SNIP > ------------------------------------------ > Thanks for the reply, but even when it is changed to:
if ( prin.IsInRole(@"GTI\ILF_Installer") ) Console.WriteLine("ILF_Installer"); it still fails the check even though I know I'm a member of that domain universal security group. Since my name comes back as "GTI\UserName" I'm sure I'm logged into the right domain. Can you think of anything else that could be causing an issue? Show quoteHide quote "Dominick Baier [DevelopMentor]" wrote: > Hello Byron, > > you have to use the fully qualified group name - which is DOMAIN\GroupName > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > I have a WinForm app that will run on XP boxes in a Win2003 AD domain > > named "GTI.int". I have several Universal security groups named > > "ILF_x", one of which is "ILF_Installer" and I have made myself a > > member of that group for development. There are arrays of security > > group names associated with menu items along with other things that > > should be enabled or disabled based on security group membership, > > though my example code only uses the one group "ILF_Installer" for > > testing. I need a method that will iterate the array of acceptable > > security group names and return true if the current user is a member > > of at least one group, or false otherwise. > > > > I have tried the below listed code without success to test for my > > membership in the "ILF_Installer" group. > > > > As always, any help would be greatly appreciated. > > > > --------------------- SNIP > > -------------------------------------------------------------- > > AppDomain myDomain = Thread.GetDomain(); > > myDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); > > WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal; > > > > Console.WriteLine("Principle:" + prin.Identity.Name); > > > > // The preceding line correctly displays GTI\MyUserName > > > > if ( prin.IsInRole("ILF_Installer") ) > > Console.WriteLine("ILF_Installer"); > > // The preceding block does NOT display "ILF_Installer" as desired. > > -------------------------------- SNIP > > ------------------------------------------ > > > > > The following works.
public static void Main(string [] args) { Show quoteHide quote AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); WindowsPrincipal p = (WindowsPrincipal) Thread.CurrentPrincipal; WindowsIdentity i = (WindowsIdentity) p.Identity; if(p.IsInRole(@"Galactic\IT")) doit();}--Derek Davisddavi***@gmail.com"Byron" <By***@discussions.microsoft.com> wrote in messagenews:9C75F012-5E70-4D48-8EBE-0489D39BF***@microsoft.com...> Thanks for the reply, but even when it is changed to:>> if ( prin.IsInRole(@"GTI\ILF_Installer") )> Console.WriteLine("ILF_Installer");>> it still fails the check even though I know I'm a member of that domain> universal security group. Since my name comes back as "GTI\UserName" I'm> sure I'm logged into the right domain.>> Can you think of anything else that could be causing an issue?>> "Dominick Baier [DevelopMentor]" wrote:>>> Hello Byron,>>>> you have to use the fully qualified group name - which isDOMAIN\GroupName>>>> --------------------------------------->> Dominick Baier - DevelopMentor>> http://www.leastprivilege.com>>>> > I have a WinForm app that will run on XP boxes in a Win2003 AD domain>> > named "GTI.int". I have several Universal security groups named>> > "ILF_x", one of which is "ILF_Installer" and I have made myself a>> > member of that group for development. There are arrays of security>> > group names associated with menu items along with other things that>> > should be enabled or disabled based on security group membership,>> > though my example code only uses the one group "ILF_Installer" for>> > testing. I need a method that will iterate the array of acceptable>> > security group names and return true if the current user is a member>> > of at least one group, or false otherwise.>> >>> > I have tried the below listed code without success to test for my>> > membership in the "ILF_Installer" group.>> >>> > As always, any help would be greatly appreciated.>> >>> > --------------------- SNIP>> > -------------------------------------------------------------->> > AppDomain myDomain = Thread.GetDomain();>> > myDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);>> > WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;>> >>> > Console.WriteLine("Principle:" + prin.Identity.Name);>> >>> > // The preceding line correctly displays GTI\MyUserName>> >>> > if ( prin.IsInRole("ILF_Installer") )>> > Console.WriteLine("ILF_Installer");>> > // The preceding block does NOT display "ILF_Installer" as desired.>> > -------------------------------- SNIP>> > ------------------------------------------>> >>>>>>> Not sure what happened with the other post...
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); WindowsPrincipal p = (WindowsPrincipal) Thread.CurrentPrincipal; WindowsIdentity i = (WindowsIdentity) p.Identity; if(p.IsInRole(@"Galactic\IT")) doit(); -- Show quoteHide quoteDerek Davis ddavi***@gmail.com "carion1" <ddavi***@gmail.com> wrote in message news:%23trvlnTxFHA.3860@TK2MSFTNGP09.phx.gbl... > The following works. > > public static void Main(string [] args) > { > AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); > WindowsPrincipal p = (WindowsPrincipal) Thread.CurrentPrincipal; > WindowsIdentity i = (WindowsIdentity) p.Identity; > if(p.IsInRole(@"Galactic\IT")) doit();}--Derek > Davisddavi***@gmail.com"Byron" <By***@discussions.microsoft.com> wrote in > messagenews:9C75F012-5E70-4D48-8EBE-0489D39BF***@microsoft.com...> Thanks > for the reply, but even when it is changed to:>> if ( > prin.IsInRole(@"GTI\ILF_Installer") )> > Console.WriteLine("ILF_Installer");>> it still fails the check even though > I know I'm a member of that domain> universal security group. Since my > name comes back as "GTI\UserName" I'm> sure I'm logged into the right > domain.>> Can you think of anything else that could be causing an issue?>> > "Dominick Baier [DevelopMentor]" wrote:>>> Hello Byron,>>>> you have to > use the fully qualified group name - which > isDOMAIN\GroupName>>>> --------------------------------------->> Dominick > Baier - DevelopMentor>> http://www.leastprivilege.com>>>> > I have a > WinForm app that will run on XP boxes in a Win2003 AD domain>> > named > "GTI.int". I have several Universal security groups named>> > "ILF_x", > one of which is "ILF_Installer" and I have made myself a>> > member of > that group for development. There are arrays of security>> > group names > associated with menu items along with other things that>> > should be > enabled or disabled based on security group membership,>> > though my > example code only uses the one group "ILF_Installer" for>> > testing. I > need a method that will iterate the array of acceptable>> > security group > names and return true if the current user is a member>> > of at least one > group, or false otherwise.>> >>> > I have tried the below listed code > without success to test for my>> > membership in the "ILF_Installer" > group.>> >>> > As always, any help would be greatly appreciated.>> >>> > > --------------------- SNIP>> > > -------------------------------------------------------------->> > > AppDomain myDomain = Thread.GetDomain();>> > > myDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);>> > > WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal;>> >>> > > Console.WriteLine("Principle:" + prin.Identity.Name);>> >>> > // The > preceding line correctly displays GTI\MyUserName>> >>> > if ( > prin.IsInRole("ILF_Installer") )>> > Console.WriteLine("ILF_Installer");>> > > // The preceding block does NOT display "ILF_Installer" as desired.>> > > -------------------------------- SNIP>> > > ------------------------------------------>> >>>>>>> > Hello Byron,
use whoami /groups from the command line to check the exact spelling of the group names... (whoami is included in w2k3 -> otherwise resource kit) HTH --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Thanks for the reply, but even when it is changed to: > > if ( prin.IsInRole(@"GTI\ILF_Installer") ) > Console.WriteLine("ILF_Installer"); > it still fails the check even though I know I'm a member of that > domain universal security group. Since my name comes back as > "GTI\UserName" I'm sure I'm logged into the right domain. > > Can you think of anything else that could be causing an issue? > > "Dominick Baier [DevelopMentor]" wrote: > >> Hello Byron, >> >> you have to use the fully qualified group name - which is >> DOMAIN\GroupName >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> I have a WinForm app that will run on XP boxes in a Win2003 AD >>> domain named "GTI.int". I have several Universal security groups >>> named "ILF_x", one of which is "ILF_Installer" and I have made >>> myself a member of that group for development. There are arrays of >>> security group names associated with menu items along with other >>> things that should be enabled or disabled based on security group >>> membership, though my example code only uses the one group >>> "ILF_Installer" for testing. I need a method that will iterate the >>> array of acceptable security group names and return true if the >>> current user is a member of at least one group, or false otherwise. >>> >>> I have tried the below listed code without success to test for my >>> membership in the "ILF_Installer" group. >>> >>> As always, any help would be greatly appreciated. >>> >>> --------------------- SNIP >>> -------------------------------------------------------------- >>> AppDomain myDomain = Thread.GetDomain(); >>> myDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); >>> WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal; >>> >>> Console.WriteLine("Principle:" + prin.Identity.Name); >>> >>> // The preceding line correctly displays GTI\MyUserName >>> >>> if ( prin.IsInRole("ILF_Installer") ) >>> Console.WriteLine("ILF_Installer"); >>> // The preceding block does NOT display "ILF_Installer" as desired. >>> -------------------------------- SNIP >>> ------------------------------------------  
Thread options
Other interesting topics
Prevent access to advapi32.dll RevertToSelf()
enumerate runtime permissions Custom security permission exception error message Logon with Digital Siganture (PKI/OCES - or what else they're called) linkdemand for principalpermission Installing CA-certificate in certificate-store from .NET windows authentication problem Safe Source Code How do I get array of users security groups (NOT builtin) is there any way to clear the buffer of a System.IO.StreamWriter so that it does not do a flush when |
|||||||||||||||||||||||
