locked
SharePoint Group Users AD Group RRS feed

  • Question

  • Hi,

    I am having a SharePoint group SPGroup which is having users from an AD group ADGroup. Now if a user who is not part of ADGroup wants to join in SPGroup, Group Owner or Administrator should not be able to add him. Is this possible in SharePoint?

    Pls share if anybody is having idea on this. Thanks.

    Jason.

    Tuesday, January 15, 2013 1:14 PM

Answers

  • Hi,

    Now here the case is complicated, here no OOTB way is possible. You need to do programmatically 

    Incase you are ok with this approach then I would suggest you this piece of code

    // This is give you User details from Active directory
    
    public static UserProfile GetUserDetailsFromActiveDirectory(String LoginName)
    
            {
    
                using (HostingEnvironment.Impersonate())
    
                {
    
                    //Userprofile can be your custom class which contains all the properties declared in it just capture all the details from Ad in one object.
    
                    UserProfile userProfile = new UserProfile();
    
                    DirectoryEntry de = GetDirectoryEntryPath();
    
                    DirectorySearcher ds = new DirectorySearcher(de);
    
                    ds.Filter = "(&(objectCategory=Person)(objectClass=user)(sAMAccountName=" + loginName + "))";
    
                    ds.SearchScope = SearchScope.Subtree;
    
                    SearchResult results = ds.FindOne();
    
                    if (results != null)
    
                    {
    
                        DirectoryEntry dey = new DirectoryEntry(results.Path);//, Settings.LdapUserName, Settings.LdapPassword, AuthenticationTypes.Secure);
    
                        userProfile.FirstName = GetProperty(results, "givenName");
    
                        userProfile.MiddleName = GetProperty(results, "initials");
    
                        userProfile.LastName = GetProperty(results, "sn");
    
                        userProfile.Email = GetProperty(results, "mail");
    
                        userProfile.Company = GetProperty(results, "company"); ;
    
                        userProfile.Phone = GetProperty(results, "telephoneNumber");
    
                        userProfile.Alias = GetProperty(results, "sAMAccountName");
    
                    }
    
                    return userProfile;
    
                }
    
            }
    
     public static DirectoryEntry GetDirectoryEntryPath()
    
            {
    
                using (HostingEnvironment.Impersonate())
    
                {
    
                    DirectoryEntry dep = new DirectoryEntry();
    
                    dep.Path = LdapPath;
    
                    //de.Username = LdapUserName;
    
                    //de.Password = LdapPassword;
    
                    de.AuthenticationType = AuthenticationTypes.Secure;
    
                    return dep;
    
                }
    
            }
    
     public static string GetvalueofProperty(SearchResult searchResultdetails, string ActiveDirectoryPropertyName)
    
            {
    
                using (HostingEnvironment.Impersonate())
    
                {
    
                    if (searchResultdetails.Properties.Contains(ActiveDirectoryPropertyName))
    
                    {
    
                        return searchResultdetails.Properties[ActiveDirectoryPropertyName][0].ToString();
    
                    }
    
                    else
    
                    {
    
                        return string.Empty;
    
                    }
    
                }
    
            }
    

    Once you have this information then check of which AD group this user belongs and if this user is not of Active Directory group named "ADGroup" then do not add this user in your SPGroup.

    Let me know about your feedback


    Thanks, Ali Yasir http://www.sharepointstack.blogspot.in/

    Thursday, January 17, 2013 12:21 PM
  • One more though , 

    try the SPUtility.GetPrincipalsInGroup Method. This method gets users or groups that belong to the specified group. The specified group can be a Microsoft Windows security group, an ASP.NET role, or a SharePoint group.

    Sample code :

    private void ResolveGroup(SPWeb w, string name, List<string> users) 
    {
    	foreach (SPPrincipalInfo i in SPUtility.GetPrincipalsInGroup(w, name, 100, out b))     
    	{         
    		if (i.Type == SPPrincipalType.SecurityGroup)         
    		{           
    			ResolveGroup(w, i.LoginName, users);         
    		}         
    		else         
    		{           
    			users.Add(i.LoginName);         
    		}     
    	} 
    }  
    [...]
    List<string> users = new List<Users>(); 
    foreach (SPUser user in SPContext.Current.Web.AllUsers) 
    {   
    	if (user.IsDomainGroup)     
    	{       
    		ResolveGroup(SPContext.Current.Web, user.LoginName, users);     
    	}     
    	else     	
    	{       
    		users.Add(user.LoginName);     
    	} 
    } 


    Thanks, Ali Yasir http://www.sharepointstack.blogspot.in/

    Thursday, January 17, 2013 12:25 PM

All replies

  • yes this should be possible

    Raghavendra Shanbhag | Blog: www.SharePointColumn.com
    Please click "Propose As Answer " if a post solves your problem or "Vote As Helpful" if a post has been useful to you.
    Disclaimer: This posting is provided "AS IS" with no warranties.

    Tuesday, January 15, 2013 6:44 PM
  • Yes you can,

    very much introduced in Sharepoint 2010 espcially.

    try to follow this link and I hope you will get your answer :

    http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx

    http://social.technet.microsoft.com/Forums/zh/sharepointadmin/thread/c3fb3aae-c95c-46a0-b1a7-b19dca0fe7de


    Thanks, Ali Yasir


    • Edited by AliYasir Tuesday, January 15, 2013 9:10 PM
    Tuesday, January 15, 2013 9:09 PM
  • Hi Indul,

    Beg your pardon, but this is to remind you again that please do not self propose your answer. Let others get this privilege to do it for certain query and it answer.

    One more point, the answer which you proposed seems to be not inline with the query. The initiator has asked how add users in sharepoint who are NOT in AD Group.

    Kindly give references of the link than sharing the whole page.

    http://sp2010adgroupmembers.codeplex.com/


    Thanks, Ali Yasir

    Wednesday, January 16, 2013 5:06 AM
  • Hi Ali Yasir,

    I believe FBA authentication does allow us to add user(not in AD) to the site. But my criteria was to add users from a particular AD group to the SharePoint group.

    Users who are not part this AD group should not be allowed to add in SharePoint.

    I hope this is clear now. Thanks for your time.

    Jason

    Thursday, January 17, 2013 9:25 AM
  • Hi Raghavendra,

    Can you pls tell how this can be implemented.

    Thanks!

    Jason

    Thursday, January 17, 2013 9:27 AM
  • Hi,

    Now here the case is complicated, here no OOTB way is possible. You need to do programmatically 

    Incase you are ok with this approach then I would suggest you this piece of code

    // This is give you User details from Active directory
    
    public static UserProfile GetUserDetailsFromActiveDirectory(String LoginName)
    
            {
    
                using (HostingEnvironment.Impersonate())
    
                {
    
                    //Userprofile can be your custom class which contains all the properties declared in it just capture all the details from Ad in one object.
    
                    UserProfile userProfile = new UserProfile();
    
                    DirectoryEntry de = GetDirectoryEntryPath();
    
                    DirectorySearcher ds = new DirectorySearcher(de);
    
                    ds.Filter = "(&(objectCategory=Person)(objectClass=user)(sAMAccountName=" + loginName + "))";
    
                    ds.SearchScope = SearchScope.Subtree;
    
                    SearchResult results = ds.FindOne();
    
                    if (results != null)
    
                    {
    
                        DirectoryEntry dey = new DirectoryEntry(results.Path);//, Settings.LdapUserName, Settings.LdapPassword, AuthenticationTypes.Secure);
    
                        userProfile.FirstName = GetProperty(results, "givenName");
    
                        userProfile.MiddleName = GetProperty(results, "initials");
    
                        userProfile.LastName = GetProperty(results, "sn");
    
                        userProfile.Email = GetProperty(results, "mail");
    
                        userProfile.Company = GetProperty(results, "company"); ;
    
                        userProfile.Phone = GetProperty(results, "telephoneNumber");
    
                        userProfile.Alias = GetProperty(results, "sAMAccountName");
    
                    }
    
                    return userProfile;
    
                }
    
            }
    
     public static DirectoryEntry GetDirectoryEntryPath()
    
            {
    
                using (HostingEnvironment.Impersonate())
    
                {
    
                    DirectoryEntry dep = new DirectoryEntry();
    
                    dep.Path = LdapPath;
    
                    //de.Username = LdapUserName;
    
                    //de.Password = LdapPassword;
    
                    de.AuthenticationType = AuthenticationTypes.Secure;
    
                    return dep;
    
                }
    
            }
    
     public static string GetvalueofProperty(SearchResult searchResultdetails, string ActiveDirectoryPropertyName)
    
            {
    
                using (HostingEnvironment.Impersonate())
    
                {
    
                    if (searchResultdetails.Properties.Contains(ActiveDirectoryPropertyName))
    
                    {
    
                        return searchResultdetails.Properties[ActiveDirectoryPropertyName][0].ToString();
    
                    }
    
                    else
    
                    {
    
                        return string.Empty;
    
                    }
    
                }
    
            }
    

    Once you have this information then check of which AD group this user belongs and if this user is not of Active Directory group named "ADGroup" then do not add this user in your SPGroup.

    Let me know about your feedback


    Thanks, Ali Yasir http://www.sharepointstack.blogspot.in/

    Thursday, January 17, 2013 12:21 PM
  • One more though , 

    try the SPUtility.GetPrincipalsInGroup Method. This method gets users or groups that belong to the specified group. The specified group can be a Microsoft Windows security group, an ASP.NET role, or a SharePoint group.

    Sample code :

    private void ResolveGroup(SPWeb w, string name, List<string> users) 
    {
    	foreach (SPPrincipalInfo i in SPUtility.GetPrincipalsInGroup(w, name, 100, out b))     
    	{         
    		if (i.Type == SPPrincipalType.SecurityGroup)         
    		{           
    			ResolveGroup(w, i.LoginName, users);         
    		}         
    		else         
    		{           
    			users.Add(i.LoginName);         
    		}     
    	} 
    }  
    [...]
    List<string> users = new List<Users>(); 
    foreach (SPUser user in SPContext.Current.Web.AllUsers) 
    {   
    	if (user.IsDomainGroup)     
    	{       
    		ResolveGroup(SPContext.Current.Web, user.LoginName, users);     
    	}     
    	else     	
    	{       
    		users.Add(user.LoginName);     
    	} 
    } 


    Thanks, Ali Yasir http://www.sharepointstack.blogspot.in/

    Thursday, January 17, 2013 12:25 PM