Last post Feb 22, 2012 09:45 AM by KrimblKrum
Feb 09, 2012 10:35 AM|KrimblKrum|LINK
I've developed a Windows service that acts as a server application, using .NET remoting. I wrote a client application that communicates with the Windows service. I would like to pass the client user's security information (i.e. WindowsIdentity object,
SID) to the server application, and have the server application resolve permissions based on membership of a local group on the server. However, the user might not be added to the local group directly, but through a domain group or nested domain group instead.
I'm familiar with querying LDAP using DirectoryServices, where a user is a member of a group directly, but not nested memberships. Could someone describe what need to be done to accomplish my goal, or point me in the right direction?
For what it's worth, I'm using Visual Studio 2005 with the .NET Framework 2.0.
Feb 12, 2012 09:30 PM|SonicMan|LINK
Maybe you can use programe to achieve the function like this:
Feb 22, 2012 09:45 AM|KrimblKrum|LINK
The following link led me to the answer I was looking for; within the "Solution 2: A faster implementation of IsUserInGroup" section. I adapted the author's example to fit my own needs. For example, I use the System.Security.Principal.NTAccount class instead
of his custom NTuser class.
By accessing the tokenGroups property of the user's DirectoryEntry, I quickly get a complete list of groups (and nested groups) that the user is a member of. I'm able to compare those values against the members collection of the DirectoryEntry for the local
group, and determine that the user is a member where a match occurs.