Check active directory group membership recursively

Question

So I have a question regarding recursive groups in active directory. I have a little method that checks if a user id is in a group or not. Works great. Found out today that it doesn't check recursive group membership and I'm not too sure how (or if) there is a way to do that. Here's what I have so far for non-recursive:

public static bool CheckGroupMembership(string userID, string groupName, string Domain)
{
  bool isMember = false;

  PrincipalContext ADDomain = new PrincipalContext(ContextType.Domain, Domain);
  UserPrincipal user = UserPrincipal.FindByIdentity(ADDomain, userID);

  if (user.IsMemberOf(ADDomain, IdentityType.Name, groupName.Trim()))
  {
    isMember = true;
  }

  return isMember;
}

I've seen some things about a directory searcher or something but I'm somewhat new to working directly with AD and while I understand the concepts, some other things are still a little lost on me.

Thanks!

Steve Young Steve Young · Accepted Answer · 2014-12-11T12:41:47

You can also check by using the recursive option of GroupPrincipal.GetMembers.

public static bool CheckGroupMembership(string userID, string groupName, string Domain) {
    bool isMember = false;

    PrincipalContext ADDomain = new PrincipalContext(ContextType.Domain, Domain);
    UserPrincipal user = UserPrincipal.FindByIdentity(ADDomain, userID);
    GroupPrincipal group = GroupPrincipal.FindByIdentity(ADDomain, groupName);

    if ((user != null) && (group != null)) {
        isMember = group.GetMembers(true).Contains(user);
    }

    return isMember;
}

Check active directory group membership recursively

2 Answers