|
| Getting the Groups a User belongs to ( in a service) |
|
|
|
|
| Messages |
|
Related Types |
This message was discovered on microsoft.public.dotnet.security.
Responses highlighted in red are from those people who are likely to be able to contribute good, authoratitive information to this discussion. They include Microsoft employees, MVP's and others who IMHO contribute well to these kinds of discussions.
| Adam Byrne |
Hello,
I need to be able to get the SIDs of a user and all the groups they belong
to. This code would be running within a service. I am currently using the
DirectoryServices namespace to successfully do this - but the service needs
to be logged on as a domain account for it to work. I would prefer to have
the service logged on as LocalSystem, but when I do this an exception is
generated when I try to access the objectSID property of the DirectoryEntry
object representing the user.
I have also tried using a WMI query to no avail (works as an appliation but
not as a service)
Retreival of the SID for a user now works if I use the LookUpAccountName
API. But now I can't enumerate the groups that the user is in. I use the
Invoke method of the DirectoryEntry object to get the "Groups" collection.
But it raises the exception "COMException (0x80070035): The network path was
not found". Is there another way to get the groups a user is in? Am I
going about this in a completely wonky way?
Incidentally the service is a server that initially authenticates the client
using SSPI. Following authentication I try to get the SIDs of the groups
that the client user belongs to. I have tried impersonating the client but
I still get the same errors.
Any thoughts would be greatly appreciated.
Thanks,
Adam
|
|
|
| |
|
| |
| |
| Joe Kaplan \(MVP - ADSI\) (VIP) |
Well, IF the machine is a domain member, then binding without credentials
specified SHOULD work as the server's credentials should be picked up in
that case and you should get an authenticated bind. Trying to bind with
AuthenticationTypes.Secure specified might help with this.
If that doesn't work, I suggest opening the user's object in AD by binding
with specific credentials. If you specify a username and password, you will
definitely get an authenticated bind or a failure. At that point, you
should be able to read most attributes on the user.
I also suggest you get the user's tokenGroups attribute as opposed to their
objectSID attribute. TokenGroups contains an array of the SIDs of the
security groups the user belongs to including nested groups and the primary
group. This is by far the fastest way to get all of the relevant SIDs.
ObjectSID will only get you the user's SID.
Since tokenGroups is a constructed attribute, you may need to call the
overload of RefreshCache that allows you to specify specific attributes to
retrieve.
HTH,
Joe K.
"Adam Byrne" <Click here to reveal e-mail address> wrote in message
news:Click here to reveal e-mail address...
[Original message clipped]
|
|
|
| |
|
|
| |
| |
| Adam Byrne |
Thanks Joe,
I ended up not using ADSI at all. But your suggestion of getting the
TokenGroups property led me in the right direction. Because I am using SSPI
explicitly, I can easily get a ClientSecurityToken which is the security
token of the client user. Using this token and the GetTokenInformation API
I was able to get everything I needed - without using ADSI.
-adam
"Joe Kaplan (MVP - ADSI)" <Click here to reveal e-mail address> wrote
in message news:%Click here to reveal e-mail address...
[Original message clipped]
|
|
|
| |
|
|
| |
| |
| Joe Kaplan \(MVP - ADSI\) (VIP) |
That makes a lot of sense if you already have the logon token. No sense
doing a lookup that the OS has already done for you.
I don't know if this helps you or not, but there is a cool .NET wrapper
assembly for Win32 security posted by a Microsoft employee in the samples
directory on GotDotNet that can save you a lot of time with the P/Invokes
(although it sounds like you might already be done).
Joe K.
"Adam Byrne" <Click here to reveal e-mail address> wrote in message
news:Click here to reveal e-mail address...
[Original message clipped]
|
|
|
| |
|
|
| |
|
|
|
|
|
|
|
|
|
|
BootFX
Reliable and powerful .NET application framework. |
|
|
|
|
|
|
