N/APosted on - 08/28/2011
I have a .net 2008 desktop application that I would like to be able to coordinate access rights per user by taking information from windows authentication and tying that information to the active directory.
Basically I would like to take the username from windows authentication and pass that information to the active directory so I can determine what groups the user has access to.
Windows server 2008, cannot run Active Directory Users and Computers
let me answer
If the user is authenticated to the domain you can use ADsysteminfo object to retrieve their distinguished Name
With the distinguished Name you can bind to the user object in AD and invoke the IADsUser interface to retrieve any attributes desired, such as MemberOf. The MemberOf attribute is a collection of the distinguished Names of the groups the user is a direct member of (except their "primary" group, which should be "Domain Users").
If you have only one or a few group memberships to check, it would be more efficient to bind to the group object in AD and use the IsMember method (exposed by the IADsGroup interface) of the object to check if the current user (retrieved from ADSystemInfo) is a member. Details depend on the language, but you should find documentation in MSDN.
Here is a VB example:
Dim SysInfo As New ADSystemInfo
Dim Group As IADsGroup
Set Group = GetObject (("LDAP://cn=Test Group,ou=West,dc=MyDomain,dc=com")
If (Group.IsMember("LDAP://" & UserDN) = True) Then
' Current user is a direct member of the group.
' Current user is NOT a direct member of the group.