Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to obtain the list of Groups a user belongs to

Active Directory and ASP.NET

How to obtain the list of Groups a user belongs to

by  AgentM  Posted    (Edited  )
Special thanks to Glowworm27 and AtomicChip for the FAQ [link http://http://www.tek-tips.com/faqs.cfm?fid=5440] How to use Active Directory with ASP.NET using LDAP? [/link]This article continues where they left off.

This FAQ discusses how to obtain the list of different Groups an ADS user belongs to. My application uses the userÆs group membership to determine access to different functions. Thus, there is no need to maintain separate access lists.

Before using the code make sure you import System.DirectoryServices and if needed get the windows username using HttpContext.Current.User.Identity.Name . The above-mentioned [link http://http://www.tek-tips.com/faqs.cfm?fid=5440] FAQ [/link] has more information.

Now letÆs get into the code. I created a function called GetUserGroups which has the following input :-

a)logged on username - Make sure there is no domain name here, just the username
b)domain account û an account that has access to read ADS eg. Domainname\username
c)password for the domain account in (b)
d)domain name. û this could be domainname.com or subdomainname.domainname.com etc.

The function returns a string value consisting of all the groups a user belongs to.

Code:
Public Function GetUserGroups(ByVal strUserName As String, ByVal strAdminUserId As String, ByVal strAdminPwd As String, ByVal strDomain As String) As String
First you need to find the username in ADS, then get the LDAP path to that object, then use the property ômemberofö to obtain the list of groups.
Code:
Try
  Dim deentry As DirectoryEntry = New DirectoryEntry("LDAP://" & Trim(strdomain), Trim(strAdminUserId), Trim(strAdminPwd))
  Dim dsSearcher As DirectorySearcher = New DirectorySearcher(deentry)
  dsSearcher.Filter = ("(sAMAccountName=" & strUserName & ")")
  Dim srresult As SearchResult = dsSearcher.FindOne
  Dim userpath AS string = trim(srresult.path)
	

	à..More code coming hereà.

Catch ex As Exception
        Dim debug As String = ex.Message
        GetUserGroups= debug

End Try

srresult.path gives the LDAP path to the user object in ADS. The path will be in the form
ôLDAP:\\ CN= LastName, FirstName, DC=DOMAIN , etcà.

For testing purposes if you just want to find the LDAP path to an object the best way is to use the program ADSI Edit.
You can get this program from the Windows 2000 tools on the CD.

Once we have the LDAP path to the object then all we have to do is create another directory entry using this path and then loop through the property collection or just direct the search result to what we want.

Code:
	æConnect to the object
Dim mySearchRoot As DirectoryEntry = New DirectoryEntry (userpath,strAdminUserId,strAdminPwd)

Dim myDirectorySearcher As New DirectorySearcher(mySearchRoot)

æGet only the result for the property ômemberofö
myDirectorySearcher.PropertiesToLoad.Add("memberof") 
æIf you remove the above line then the program will iterate through all the properties.

Dim mySearchResult As SearchResult = myDirectorySearcher.FindOne()
	
æMaking sure we have results
If Not (mySearchResult Is Nothing) Then

   Dim strGrpList As String = ""
   Dim myCollection As Object

   For Each myCollection In mySearchResult.Properties("memberof") 

     æRemoving extra LDAP path information from the collection
     æ You may want to modify it as per your requirements
     strGrpList = strGrpList & Replace(Left(myCollection, InStr(myCollection, ",OU", CompareMethod.Text)), "CN=", "")

   Next myCollection

   GetUserGroups = tabl

Else

   GetUserGroups = "Path Not Found or Object not found"

End if

I have used this function in a Class and want to use it as a web service so that other departments in my company can use it.
This link from Microsoft helped me a lot with this code; you can use the code sample in the link to perform other ADS functions [link http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemdirectoryservicessearchresultclasstopic.asp] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemdirectoryservicessearchresultclasstopic.asp [/link]

Hopefully, this FAQ has been helpful to other people.
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top