This question has been asked many times before on this forum. We need to see your code to evaluate the issue. For example, if Memberof is not retrieved, then most likely you wrote it wrong (must memberOf and not Memberof) or maybe you forgot to mark
it for loading
DirectorySearcher search = new DirectorySearcher("...");
search.PropertiesToLoad.Add("memberOf");
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "Company.com", "DC=SomeDC,DC=COM", username, Password);
UserPrincipal up = UserPrincipal.FindByIdentity(ctx, strUserName);
PrincipalSearchResult<Principal> groups = up.GetAuthorizationGroups();
var iterGroup = groups.GetEnumerator();
GetAuthorizationGroups gives "Object reference not set error"
Code 2: // Using memberOf
DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain, userName, password);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = "(&(objectClass=user)(|(cn=" + userName + ")(sAMAccountName=" + userName + ")))";
SearchResult result = mySearcher.FindOne();
foreach (string GroupPath in result.Properties["memberOf"])
{
if (GroupPath.Contains(group))
{
return true;
}
}
The Group is not found in the above method
Code 3:
using (var context = new PrincipalContext(ContextType.Domain, "company.com", "DC=someDC,DC=COM", username, Password))
{
using (UserPrincipal up = UserPrincipal.FindByIdentity(context, strUserName))
{
using (var group = GroupPrincipal.FindByIdentity(context, IdentityType.Name, strGroup))
{
// Verify user is not currently a member
if (group.Members.Contains(up))
{
return true;
}
}
}
}
I have not able to check the specific group, which I am looking for. The group is inside another group.
Let's check #2. I suppose, you've copied the complete code and if it does not generate any error then it means that the filter is correct and the user has been found.
Try to modify it as follows
mySearcher.PropertiesToLoad.Add("memberOf");
SearchResult result = mySearcher.FindOne();
Make sure that the group value is correct. For debug purposes you might try to output all groups using Console.Write or Response.Write to see what is inside.
The method "GetAuthorizationGroups" at times works and it finds the Group which I am looking for. However 70% of the time, I get the Object reference not set error.
Well, the code looks correct and if you receive some groups, it means it works. Not sure why it does not return all groups, you might try to check with ldap browser. Maybe that group is from another domain or something like this...
Is there any other code similar to "GetAuthorizationGroups" ?
If the user is not directly part of the group, but is part of the parent group.. I mean, the Group I am searching is a subgroup. The user is part of the parent group..
This is the reason of the behaviour with "not all groups". The groups are all and the code was correct, but the "memberOf" property lists only parent groups. You can still use same code but you would need to do extra loops to check for nested groups
I'm not sure why the other code is not working for you, but it seems the problem is not in the groups.
If here
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "Company.com", "DC=SomeDC,DC=COM", username, Password);
UserPrincipal up = UserPrincipal.FindByIdentity(ctx, strUserName);
PrincipalSearchResult<Principal> groups = up.GetAuthorizationGroups();
var iterGroup = groups.GetEnumerator();
you receive an error
GetAuthorizationGroups gives "Object reference not set error"
then it sounds like UserPrincipal is null and FindByIdentity did not return any user. It means you need to debug and see why PrincipalContext or FindByIdentity return null.
when the UserPrincipal is not null, I am getting the error as "{System.DirectoryServices.AccountManagement.PrincipalOperationException: While trying to retrieve the authorization groups, an error (110) occurred.".
Stack Trace: at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()
I modified the code as below:
PrincipalContext pc = new PrincipalContext(ContextType.Domain, "Company.com","DC=SomeDC,DC=COM",ContextOptions.Negotiate,username,Password );
UserPrincipal up = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, strUserName);
if (up != null)
{
// fetch the group list
PrincipalSearchResult<Principal> groups = up.GetAuthorizationGroups();
}
Participant
1426 Points
1962 Posts
Check if User is part of AD Group
Mar 03, 2014 07:06 AM|venkatzeus|LINK
Hi,
How to check if user is part of AD Group or not using C#.
I am using VS 2010 and C#. I am trying to check if user is part of Group.
I have tried the "GetAuthorizationGroups", but it gives the Object reference not set error.
I have tried "Memberof" option, but not all the Groups are retrieved.
Is there any other way to check if a user is part of Group or not in AD?
Thanks
All-Star
35159 Points
9075 Posts
Re: Check if User is part of AD Group
Mar 03, 2014 07:22 AM|smirnov|LINK
This question has been asked many times before on this forum. We need to see your code to evaluate the issue. For example, if Memberof is not retrieved, then most likely you wrote it wrong (must memberOf and not Memberof) or maybe you forgot to mark it for loading
DirectorySearcher search = new DirectorySearcher("...");
search.PropertiesToLoad.Add("memberOf");
Participant
1426 Points
1962 Posts
Re: Check if User is part of AD Group
Mar 03, 2014 07:54 AM|venkatzeus|LINK
Hi,
It is a security Group.
I have tried the following code(s);
Code 1: // Using GetAuthorization Group
GetAuthorizationGroups gives "Object reference not set error"
Code 2: // Using memberOf
DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain, userName, password); DirectorySearcher mySearcher = new DirectorySearcher(entry); mySearcher.Filter = "(&(objectClass=user)(|(cn=" + userName + ")(sAMAccountName=" + userName + ")))"; SearchResult result = mySearcher.FindOne(); foreach (string GroupPath in result.Properties["memberOf"]) { if (GroupPath.Contains(group)) { return true; } }The Group is not found in the above method
Code 3:
using (var context = new PrincipalContext(ContextType.Domain, "company.com", "DC=someDC,DC=COM", username, Password)) { using (UserPrincipal up = UserPrincipal.FindByIdentity(context, strUserName)) { using (var group = GroupPrincipal.FindByIdentity(context, IdentityType.Name, strGroup)) { // Verify user is not currently a member if (group.Members.Contains(up)) { return true; } } } }I have not able to check the specific group, which I am looking for. The group is inside another group.
Thanks
All-Star
35159 Points
9075 Posts
Re: Check if User is part of AD Group
Mar 03, 2014 08:18 AM|smirnov|LINK
Let's check #2. I suppose, you've copied the complete code and if it does not generate any error then it means that the filter is correct and the user has been found.
Try to modify it as follows
mySearcher.PropertiesToLoad.Add("memberOf"); SearchResult result = mySearcher.FindOne();Make sure that the group value is correct. For debug purposes you might try to output all groups using Console.Write or Response.Write to see what is inside.
Also you can try to test it using some ldap tools, such as LDAP Browser http://www.ldapbrowser.com/download.htm
Participant
1426 Points
1962 Posts
Re: Check if User is part of AD Group
Mar 03, 2014 08:31 AM|venkatzeus|LINK
HI,
I have tried the below, but still the "Security Group" is not found
DirectoryEntry entry = new DirectoryEntry(LDAPAddress, username, Password); entry.RefreshCache(); DirectorySearcher mySearcher = new DirectorySearcher(entry); mySearcher.Filter = "(&(objectClass=user)(|(cn=" + strUserName + ")(sAMAccountName=" + strUserName + ")))"; mySearcher.PropertiesToLoad.Add("memberOf"); SearchResult result = mySearcher.FindOne(); if (result != null) { foreach (string GroupPath in result.Properties["memberOf"]) { if (GroupPath.Contains(strGroup)) { return true; } } } return false;I have also tried the code from : http://snipplr.com/view/31116/
But the same result.
The method "GetAuthorizationGroups" at times works and it finds the Group which I am looking for. However 70% of the time, I get the Object reference not set error.
Thanks
All-Star
35159 Points
9075 Posts
Re: Check if User is part of AD Group
Mar 03, 2014 09:15 AM|smirnov|LINK
Why did you add that condition? Do you get null when using FindOne()?
Participant
1426 Points
1962 Posts
Re: Check if User is part of AD Group
Mar 03, 2014 09:17 AM|venkatzeus|LINK
Hi,
I did not get a null value.
But checked for null before further processing.
All-Star
35159 Points
9075 Posts
Re: Check if User is part of AD Group
Mar 03, 2014 09:24 AM|smirnov|LINK
Well, the code looks correct and if you receive some groups, it means it works. Not sure why it does not return all groups, you might try to check with ldap browser. Maybe that group is from another domain or something like this...
Participant
1426 Points
1962 Posts
Re: Check if User is part of AD Group
Mar 03, 2014 09:34 AM|venkatzeus|LINK
Hi,
Is there any other code similar to "GetAuthorizationGroups" ?
If the user is not directly part of the group, but is part of the parent group.. I mean, the Group I am searching is a subgroup. The user is part of the parent group..
Is it possible to search in this case.
Thanks
All-Star
35159 Points
9075 Posts
Re: Check if User is part of AD Group
Mar 03, 2014 10:40 AM|smirnov|LINK
This is the reason of the behaviour with "not all groups". The groups are all and the code was correct, but the "memberOf" property lists only parent groups. You can still use same code but you would need to do extra loops to check for nested groups
(&(memberOf=...)(objectClass=group))http://www.codeproject.com/Articles/27281/Retrieve-Names-from-Nested-AD-Groups
I'm not sure why the other code is not working for you, but it seems the problem is not in the groups.
If here
you receive an error
then it sounds like UserPrincipal is null and FindByIdentity did not return any user. It means you need to debug and see why PrincipalContext or FindByIdentity return null.
According to http://stackoverflow.com/questions/12041459/active-directory-memberof-property-doesnt-contain-nested-security-groups the GetAuthorizationGroups() method should return nested groups...
Participant
1426 Points
1962 Posts
Re: Check if User is part of AD Group
Mar 04, 2014 01:01 AM|venkatzeus|LINK
Hi,
when the UserPrincipal is not null, I am getting the error as "{System.DirectoryServices.AccountManagement.PrincipalOperationException: While trying to retrieve the authorization groups, an error (110) occurred.".
Stack Trace: at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()
I modified the code as below:
PrincipalContext pc = new PrincipalContext(ContextType.Domain, "Company.com","DC=SomeDC,DC=COM",ContextOptions.Negotiate,username,Password ); UserPrincipal up = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, strUserName); if (up != null) { // fetch the group list PrincipalSearchResult<Principal> groups = up.GetAuthorizationGroups(); }Thanks
All-Star
35159 Points
9075 Posts
Re: Check if User is part of AD Group
Mar 25, 2014 07:10 AM|smirnov|LINK
Under what identity is your process running on the server? Most likely, that user does not have the correct rights to access your Active Directory.
The membership in the Windows Authorization Access Group is required to execute GetAuthorizationGroups.
See the following article: http://support.microsoft.com/kb/331951
Also you can try
Hope this helps.