c# check if the user member of a group?

15
votes

I have a code that I use to check if the user is member of the AD, worked perfectly,

now I want to add the possibility to check if the user also a member of a group!

what do I need to modify to achieve that, I did some work, but it fails!

so here is my code:

        //Authenticate a User Against the Directory
        private bool Authenticate(string userName,string password, string domain)
        {

            if (userName == "" || password == "")
            {
                return false;
            }

            bool authentic = false;
            try
            {
                DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain,userName, password);
                object nativeObject = entry.NativeObject;
                authentic = true;
            }
            catch (DirectoryServicesCOMException) { }
            return authentic;
        }

I want to make it like this:

private bool Authenticate(string userName,string password, string domain, string group)
3
c#authenticationactive-directoryauthorization
You may be using the wrong API for this task. Are you writing authentication code for an application? If so, there should be a much simpler API to use. For example, in ASP.NET, you can access this information using the Page.User object. Or is the purpose of the application actually to query Active Directory?David

3 Answers

29
votes

This is not available on Windows XP or earlier.

Anyway, in order to check for group membership, you can use this code:

bool IsInGroup(string user, string group)
{
    using (var identity = new WindowsIdentity(user))
    {
        var principal = new WindowsPrincipal(identity);
        return principal.IsInRole(group);
    }
}
8
votes

In ASP.Net you will use Page.User.IsInRole("RoleName") or in Windows you can use System.Threading.Thread.CurrentPrincipal.IsInRole("RoleName")

6
votes

I solve it with this code

public bool AuthenticateGroup(string userName, string password, string domain, string group)
    {


        if (userName == "" || password == "")
        {
            return false;
        }

        try
        {
            DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain, userName, password);
            DirectorySearcher mySearcher = new DirectorySearcher(entry);
            mySearcher.Filter = "(&(objectClass=user)(|(cn=" + userName + ")(sAMAccountName=" + userName + ")))";
            SearchResult result = mySearcher.FindOne();

            foreach (string GroupPath in result.Properties["memberOf"])
            {
                if (GroupPath.Contains(group))
                {
                    return true;
                }
            }
        }
        catch (DirectoryServicesCOMException)
        {
        }
        return false;
    }

it works fine for me, and it can be use with a machine not part of the Domain Controller / Active Directory

Thank you all for the help