0 votes

Hello,
I have a web service that checks if a user is a member of a group. I am not concerned if they are a direct member or an indirect member of a group, but if the user is in the group (or any of their groups is in the group) I need the method to return true. I know that I can use the IAdmGroup object to get a list of all members (direct and indirect) of the group but this service is going to be used quite a bit, and some of the groups could be very large (10,000+). I pulled the user object and used Groups() but it doesn't identify groups that the user is a nested member of. Is there a simple way to get a boolean response to if a user is a member of a group. Here is an example: User A is a member of group 2. Group 2 is a member of Group 1. My method needs to return true when I pass it User A and Group 1. I am using ADSI, c# (.Net 4.0), and WCF.

by (140 points)

1 Answer

0 votes
by (215k points)

Hello,

We've updated our SDK with an example that shows how to get all groups a user is a member of (directly or indirectly). Take a look at the second example in the following article: http://www.adaxes.com/sdk/?SampleScript ... ember.html.

0

Here is the solution we came up with. Hope this helps someone else with a similar problem.

List<string> Groups = new List<string>();
            var admUser = (IAdmTop) user;
            var groups = (Object[]) admUser.MemberOf;
            foreach (byte[] bytes in groups)
            {
                Guid guid = new Guid(bytes);
                var group = GetGroup("Adaxes://<GUID=" + guid.ToString() + ">");
                var name = group.Name;
                if (group.Name.Contains("CN="))
                    name = group.Name.Replace("CN=", string.Empty);
                Groups.Add(name);

            }
0

Hello,

In your script, you get the group name by accessing the Name property of the IADs interface. The property returns the Relative Distinguished Name (RDN) of an AD object. An RDN consists of an attribute type and attribute value in the format <attribute_type>=<attribute_value>, for example CN=My Group. To get the name of an AD object without the attribute type, you need to get the Name property of the object. For this purpose, use the Get property of the IADs interface. For example, in your code:

List<string> Groups = new List<string>();
            var admUser = (IAdmTop) user;
            var groups = (Object[]) admUser.MemberOf;
            foreach (byte[] bytes in groups)
            {
                Guid guid = new Guid(bytes);
                var group = GetGroup("Adaxes://<GUID=" + guid.ToString() + ">");
                var name = group.Get("name");
                Groups.Add(name);
            }
0

Hi

No matter what, it coud be really cool to have a Adm-IsUserMember cmdlet in the next version of Adaxes 8-)

- Thanks

Related questions

0 votes
1 answer

Our Help Desk currently 'mirrors' the group membership of a new user based on another existing user in our AD. I'd like to be able to automate this so that the initiator ... and 'paste' it on the new user being created. Any help on this would be appreciated!

asked Apr 21, 2020 by RayBilyk (180 points)
0 votes
1 answer

There is a script to indicated if a user is a member of any listed groups. Is it possible to have a version of the script that checks a group or member of any nested group? Current script page: https://www.adaxes.com/script-repositor ... s-s294.htm

asked Apr 30, 2018 by adaxes_user (420 points)
0 votes
1 answer

We want to check, if the number of a new team (group) is unique. The number is stored in the attribute "gidNumber". I have a business rule executing before creating ... $NULL) { $Context.Cancel("Ein Team mit dieser Team-Nummer existiert bereits!") return } }

asked Oct 13, 2020 by lohnag (100 points)
0 votes
1 answer

Hello, I want to check if a user is alredy a member of a specific group before doing sometings. This is the piece of code that works well if I execute it on Powershell ... .LogMessage($_.Exception.Message, "Warning") } } So what's wrong?? Thanks in advance!

asked Jun 29, 2016 by tentaal (1.1k points)
0 votes
1 answer

Hi, I'd like to implement a rule to ensure that telephoneNumber value is unique accross the domain for each user, either after creation or updates. I tried to implement a ... one (before change). How to get the new value in the script ? Thanks Stephen

asked May 31, 2011 by sroux (800 points)
2,640 questions
2,375 answers
6,305 comments
985,958 users