locked
User.IsInRole() in Active Directory Question RRS feed

  • Question

  • User-1188570427 posted

    I am working on an applicaton where we have to authorize to certain pages in MVC3 by their roles/groups in AD.  I know you can do User.IsInRole("Domain\GroupName") in Csharp code in a cshtml page or use the Authorize attribute on a controller etc.  My question is this: When I read out all of the roles contained in User.IsInRole() via a Role Principle and a string array - it gives A LOT of groups that the users is just a part of.  How is this list tabulated exactly?  Of course the reason I am doing this, is if they have the specific role I am checking for - I expect it to be in the list - other wise they should not have access to that page / controller etc. Just trying to figure out how I get all of these roles when an admin just puts in me a couple of roles, but via this process it shows me in a lot more role/groups. 

    Wednesday, March 26, 2014 8:39 PM

Answers

  • User1508394307 posted

    If you get more roles than expected then it might be due to 

    a) nested security groups
    b) distribution lists

    If you use active directory authorization Users.IsInRole checks if the user is member of the given group. It is not exactly the same as checking the groups that the user belongs to, because that only gives the direct memberships. Users.IsInRole also checks nested group membership. An example:

    • UserA is a member of GroupA
    • GroupA is a member of GroupB

    Now if you check the direct memberships of UserA you will only get GroupA. But Users.IsInRole will indicate that UserA is a member of GroupB thanks to the nesting.

    Distribution lists (DL) are public lists that are published as distribution group objects in Active Directory. They are "mail-enabled" and could be used e.g. to send emails. See here some examples on how to get security groups and distribution lists http://msdn.microsoft.com/en-us/library/bb924542%28v=vs.90%29.aspx 

    Just run ADSI Edit/Active Directory Users and Computers and see exact groups and lists.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, March 27, 2014 4:05 AM

All replies

  • User1508394307 posted

    If you get more roles than expected then it might be due to 

    a) nested security groups
    b) distribution lists

    If you use active directory authorization Users.IsInRole checks if the user is member of the given group. It is not exactly the same as checking the groups that the user belongs to, because that only gives the direct memberships. Users.IsInRole also checks nested group membership. An example:

    • UserA is a member of GroupA
    • GroupA is a member of GroupB

    Now if you check the direct memberships of UserA you will only get GroupA. But Users.IsInRole will indicate that UserA is a member of GroupB thanks to the nesting.

    Distribution lists (DL) are public lists that are published as distribution group objects in Active Directory. They are "mail-enabled" and could be used e.g. to send emails. See here some examples on how to get security groups and distribution lists http://msdn.microsoft.com/en-us/library/bb924542%28v=vs.90%29.aspx 

    Just run ADSI Edit/Active Directory Users and Computers and see exact groups and lists.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, March 27, 2014 4:05 AM
  • User-1188570427 posted

    This is great. Thanks.  I was trying to explain it yesterday and did not do a good job at it :-(

    Thursday, March 27, 2014 5:43 AM