Check if user is part of AD group using System.DirectoryServices.AccountManagement namespace

Similar Messages

• Check if user belongs to specific sharepoint group using designer workflow

  Hi,
  I am developing a SharePoint 2010 Designer workflow [Reusable workflow].
  Can I check if the workflow initiator belongs to specific SharePoint group. Do we have any action/activity for this?
  I have some business logic that needs to be executed if user initiating the workflow belongs to specific SharePoint group.
  Any suggestions/pointers on this would be highly appreciated.
  Regards, Ketan Gandhi

  Hi,
  You will not able to see it OOTB. You can refer this link if you want this
  workflow action.
  http://spdactivities.codeplex.com.
  Thanks.Please mark it as an answer if it helped.

• Dsget - query users *NOT* part of a group

  Hi all,
  Is it possible to query a distribution group, to display users *NOT* part of that group? Basically I need to work out which users are missing from a particular group. I can use dsget to obtain a list of members in part of a group but I need to do the reverse;
  "tell me who are missing from groupA". Is this possible?
  Thanks,
  Christian

  You can retrieve the DN of all users in the domain that are not direct members of a specified group using dsquery. For example (this is one line):
  dsquery * -filter "(&(objectCategory=person)(objectClass=user)(!(memberOf=TestGroup,ou=West,dc=MyDomain,dc=com))) -limit 0 > NotInGroup.txt
  You must specify the full Distinguished Name of the group in the (memberOf=xxx) clause. In this case I redirected the output to a text file, NotInGroup.txt. However, since the "Primary" group of a user is never included in the memberOf attribute of
  the user, this will not work if the specified group is the "primary" for any users. This limitation should only apply to the group "Domain Users", which by default is "primary" for all users. There are other ways to handle this if the group is "primary"
  for anyone.
  Richard Mueller - MVP Directory Services

• How to check if user is part of the specific OU in Active Directory

  Hi :
  We are trying to check if user is part of the specific OU or not , to do this I am invoking "Get Object Property Value"
  since if user is part of that OU in that case it should be able to get that property .
  However this activity is failing and not able to search for any proeprty , below is the snapshot of workflow which
  I have created for this , I am logging to cisco.com domain for this .

  Hi Anil
  You can run the "Get User Distinguished Name" action. This uses the login CISCO\username in your case to return the distinguished name which you are inputting including its OU.
  You could then run the get object property with the input LDAP path being the results from the Distinguished Name.
  Regards,
  Matt

• Check if a user belongs to specific SharePoint Group- using SharePoint Designer 2013/2010 Workflow

  Hi there,
          I am working on a SharePoint list and i would like users to be assigned permissions to items based on their groups.
  I did look at using workflows but i couldnt find anything useful :(
  Any tips or advice would be appreciated.
  Cheers

  Now that SP2013 workflows allow you to run web services, you could use REST/SOAP web service that, as I recall, allows you to enumerate a group for members:
  http://yoursite/yourmanagedpath/yoursitecollection/yoursite/_vti_bin/usergroup.asmx
  Do some reading on the GetUserCollectionFromGroup method and see if that doesn't get you what you are looking for...

• Any Simple Way to check wheter the user is belongs to SharePoint Group in Client object model

  Hi All,
  Generally we follow these steps to check whether user belongs to this perticular group:
  1.Get the "Group" object from the Group Collection based on the group name
  2.Get all UserCollection from the "Group" object
  3.Take a loop and check with each user object (eg User.ID="777473844")
  I am thinking this is time taking process( if group has more than 100 members).
  Do we have any shortway to check whether user is belongs to this perticular SharePoint Group?
  Thanks in Advance!
  Thanks,
  Mahesh Yamana
  Mahesh@SharepointSolutions

  Hi Mahesh,
  Below is a CSOM JS code to check whether a user belongs to a group. We get the current user object, and then the list of Groups which the user is part of. And then check if the required group is present or not in the collection.
  function retrieveWebSite() {
  var clientContext = new SP.ClientContext.get_current();
  this.oWebsite = clientContext.get_web();
  this.oCurrentUser = this.oWebsite.get_currentUser();
  this.oUserGroups = this.oCurrentUser.get_groups();
  clientContext.load(this.oUserGroups);
  clientContext.executeQueryAsync(
  Function.createDelegate(this, this.onQuerySucceeded),
  Function.createDelegate(this, this.onQueryFailed)
  function onQuerySucceeded(sender, args) {
  var Group1 = "Group Name One";
  var Group2 = "Group Name Two";
  var flag = false;
  var iCount = this.oUserGroups.get_count();
  for(var i=0; i<iCount; i++)
  oGroup = this.oUserGroups.getItemAtIndex(i);
  if(oGroup.get_title() != Group1 && oGroup.get_title() != Group2)
  flag=true;
  else
  flag=false; break;
  if(flag == true)
  //Write your logic here
  function onQueryFailed(sender, args) {
  alert('Request failed. ' + args.get_message() +
  '\n' + args.get_stackTrace());
  Ram Prasad Meenavalli | MCITP | MCTS SharePoint | MCPD SharePoint | http://www.spdeveloper.co.in

• Add multiple users to AD Group using AddRange

  All,
  I am trying to add multiple users to an AD security group using AddRange method but no luck.
  Reason why I am using AddRange method is, the memberlist is pretty big (30K users) and Quest or MSFT AD Cmdlets taking plenty of time to add them.
  I am following the instruction per http://msdn.microsoft.com/en-in/library/ms180904(v=vs.80).aspx but no luck.
  Code snippet:
  $groupmembers = Get-Content C:\Temp\MemberDN.txt
  $getgroup = [ADSI]"LDAP://CN=MYADGROUP,OU=GROUPS,DC=CONTOSO,DC=COM"
  $getgroup.properties.member.AddRange($groupmembers)
  #$getgroup.properties["member"].AddRange($groupmembers)
  $getgroup.CommitChanges()
  #$getgroup.SetInfo()
  I tried using ADSPATH as well but no luck.
  Any help or pointers are appreciated.
  Thanks.

  Hi PSPR,
  I agree with David .
  Also I tested that on my server2012r2 , please refer to :
  $user="cn=test1,cn=users,dc=test,dc=com","cn=test2,cn=users,dc=test,dc=com"
  $obj=[adsi]"LDAP://cn=test,cn=users,dc=test,dc=com"
  $obj.member.addrange($user)
  $obj.commitchanges()
  Hope it helps
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• What is t-code SHD0's 'Variant Groups' used for?

  hi all:
  What is t-code SHD0's 'Variant Groups' used for?
  It seems can't work,who can help me?
  thanksss.

  Variant groups
  An extension of the standard variants is involved in the variant groups; the standard groups are often insufficient:
  Different users (groups) should work with different variants;
  Some users should be able to execute a transaction with different variants.
  This is possible - in addition to the advantages that the standard variants offer - with variant groups:
  Variants from variant groups are automatically applied, but only for users that are assigned to them.
  A user can be assigned to several groups and can change the assignment.
  The values of the groups are not applied in the batch input mode.
  If a transaction is started with another transaction variant, the values are not additionally applied to a variant group.
  How are the variant groups maintained?
  You can enter the group names on the "Variant Group" tab and maintain variant groups with the "Create" or "Change" functions.
  The group name must be in the "correct" namespace.
  In addition, there are two Where-Used Lists:
  Which users are assigned to the group,
  For which transactions the group applies.
  Which transaction variants belong to the groups?
  The name of a transaction variant that is to belong to a group meets the following naming conventions:
  <Name of variant group><name of transaction code>. Example: A transaction variant is to be created for the XYZ transaction that belongs to GROUP1. The name of the transaction variant is then GROUP1XYZ.
  Due to this naming convention, the group name must be in the "correct" namespace.
  Transaction variants that (randomly) meet this naming convention do not necessarily belong to a group. The group assignment is activated by
  1. Creating a group
  2. Assigning users to this group
  A transaction variant that belongs to a group can also be used this way, like a transaction variant without a group.
  How are the transaction variants that belong to a group maintained?
  Transaction variants that belong to a group are maintained in the same way as all other transaction variants, they are distinguished using a naming convention (<name of variant group> <name of transaction codes>).
  They can be maintained in the "transaction variants" tab or in the "variant groups" tab. If you maintain them in the "variant groups" tab, you must always enter the transaction code so that the name of the transaction variant can be determined.
  Under what conditions is a variant from a group applied?
  A variant from a group is applied if users are assigned.
  (Only for the assigned users, all other users get the original transaction with a variant from a different group.)
  It is NOT sufficient to
  Create a group
  Create a variant that satisfies the naming convention.
  How do you assign users to groups?
  You can assign users in the "variant groups" tab in the "user assignment".
  Enter the user name.
  The user is assigned to the group with the "assign" function, but they see original transaction(s) or the transactions with variants from another group as the proposal.
  The assignment of users to the group is deleted using the "delete assignment" function.
  The user is assigned to the group using the "Set Proposal" function and the relevant transactions are started for this user with the corresponding variants.
  The proposal is canceled with the "Cancel Proposal" function, the assignment itself remains.
  If you enter the user names generically (*), you receive a selection screen in which you can
  Choose whether assignments or proposals are to be changed
  Further restrict user names (the group in the "all users from group" option has nothing to do with the variant group, it concerns the "user group for authorization check" from the user master record (logon data)).
  By choosing "Execute", you receive a list in which you can further restrict the user selection. The "Save" function saves the assignments for all selected users.
  If you want to start the report in the background, you can choose if just the list should be outputted, or if the database changes should also be performed.
  If a user is additionally also to be able to execute the original transaction, he must be assigned to the "empty group", the allocation takes place in the same way, in this case, nothing is simply entered in the group name field.
  Regards,
  Joy.

• Checking to see if the current User is part of the "Administrator Group"

  I am writing an installer for my program - in java - that basically just executes a .jar file. In the past, my software had a disclaimer that just tells the user to make sure that they are an administrator before installing - but we are not currently enforcing that.
  So my task is to develop a snippet of code that returns a boolean (true if the user has privileges, false if the user does not). Essentially checking to see if the user is part of the Administrators Group in windows. I created a creative solution for the Unix side of this problem, checking the root group, and some path names for root... but I am stumped on the Windows side of things. I KNOW there is a solution in C, in fact I have already created it (it involves a simple import of windows.h and a static variable check), but I would like a java solution instead.
  I have researched a bit in the java.security API and the JNI interface for executing my C code in java... but I would like to post here in case there is a simpler solution that I may be overlooking. The windows platform is XP for the most part, but possibly Vista as well.
  Thanks in advance for your replies, and sorry if this is a double-post, I tried searching beforehand.

  i found out that the fsutil command will not run correctly you are not a local administrator it gives the error message "The FSUTIL utility requires that you have administrative privileges.", right now i am using some string manipulation to try and catch this - another good command line option is net localgroups Administrataor

• Same user with administrative rights on all the servers in single domain versus domainadmin as a part of administrator group in all the servers

  same user with administrative rights on all the servers in single domain user as a part of administrator group in all the servers:
  same user is configured as administrator on all the servers in one domain at windows 2003 server. Should this user be made part of domain admin and then this can be set up in the group of administrator for all the servers.
  How this is technically different?
  If same user is set up as an administrator on all the servers in domain, will it have the same access on all the files as a domain admin user?
  dhomya

  If the account is not admin on the domaincontrollers and the account is not member of domain admins or any other privileged AD group, the account has only user privileges on AD and thus cannot perform actions like creating and managing  accounts,
  groups, OUs,policies, sites, ...in other words cannot potentially ruin Active Directory.
  I think that is a pretty big difference.
  In fact, it is bad practice to perform you daily server management with an AD privileged account.
  In regards of file access. The domain administrator will be just an admin, and thus has the privilies assigned to the local admin group, just as any other admin. But if it are different accounts they might be member of different groups assigning different
  privileges. Always be carefull when assuming resulting privileges will be the same.
  MCP/MCSA/MCTS/MCITP

• PowerShell Script: How to query a current logon user in part of E.G AD group domain1\Group1 ?

  Hi Scripts guys,
  I am new to powershell . I would like to achieve the following :
  1. to check e.g if current logon user is member of .e.g. to domain1\group1
  if yes then execute another
  a. do a subst of a: to d:
  b. follow by executing the 2nd cmd e.g execute.ps1  
  else exit and
  proceed with execute.ps1
  please advice how best to achieve this ? Thanks in advance for your help :)

  When testing the "current user" for group memberships, I prefer to do it locally using the user's logon token rather than having to query the directory. This has the advantage of automatically dealing with nested group memberships, and working
  with local / builtin groups as well. Something along these lines:
  function Test-CurrentUserIsMember
  [CmdletBinding()]
  param (
  [Parameter(Mandatory = $true)]
  $Group
  $sid = $Group -as [System.Security.Principal.SecurityIdentifier]
  if ($null -eq $sid)
  $account = $Group
  if ($account -isnot [System.Security.Principal.IdentityReference])
  $account = [System.Security.Principal.NTAccount][string]$Group
  try
  $sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
  catch
  throw "Group '$Group' could not be resolved to a Security Identifier"
  return ([System.Security.Principal.WindowsIdentity]::GetCurrent().Groups -contains $sid)
  if (Test-CurrentUserIsMember -Group 'DOMAIN1\Group1')
  # User is a member of the group (directly, or via nested group memberships.)
  Write-Host "Is Member"
  else
  # User is not a member of the group.
  Write-Host "Is Not Member"

• ACS 4.2 - one local user be part of multiple local groups

  Hello,
  I have a group of network engineers that need full admin access to two groups locally in ACS - Network Admins and LMS Admins <--- (New group created for recent LMS CiscoWorks installation).
  I have two NDG's - Cores and LMSserver <-- new
  Problem: If a user belongs to Network Admins group, user can login to the LMS server but limited functions.  If user is moved to LMS admin has full functions but loses level 15 access to the routers and switches, which are AAA clients for Cores.
  I've tried many different settings and still can not find the right one.  Is this doable in ACSv4.2?
  Thank you very much in advanced for your input.
  Cheers!

  Here is the a workaround to solve it.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless.
  Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and
  that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure
  group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2
  and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because
  NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG  or individual  NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a  NAR  configured assigning
  specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups            ACS groups
  A,B,C =============>  Group 1  
  A     =============>  Group 2
  B     =============>  Group 3
  C     =============>  Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in  group A (Group 2)
  You can create a rule for users in  group B (Group 3)
  You can create a rule for users in  group C (Group 4)
  Please check this links
  Group mapping order:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/qg.htm
  #wp940485
  Regards,
  ~JG
  Do rate helpful posts

• ECMA script to check if user is a member of sharepoint group

  Hi All,
  I need to check if the current user belongs to s particular SP group using ECMA script. I have written the following code
  function CheckIfCurrentUserIsCoordinator() {
  var clientContext = new SP.ClientContext.get_current();
  this.collGroup = clientContext.get_web().get_siteGroups();
  clientContext.load(collGroup);
  clientContext.load(collGroup, 'Include(Users)');
  this.currentUser = clientContext.get_web().get_currentUser();
  clientContext.load(currentUser);
  clientContext.executeQueryAsync(Function.createDelegate(this, this.onQuerySucceeded), Function.createDelegate(this, this.onQueryFailed));
  function onQuerySucceeded(sender, args) {
  var UserExistInGroup = false;
  var groupEnumerator = collGroup.getEnumerator();
  while (groupEnumerator.moveNext()) {
  var oGroup = groupEnumerator.get_current();
  if(oGroup.get_title()=='Group A')
  var collUser = oGroup.get_users();
  var userEnumerator = collUser.getEnumerator();
  while (userEnumerator.moveNext()) {
  var oUser = userEnumerator.get_current();
  if (oUser.get_loginName() == currentUser.get_loginName()) {
  UserExistInGroup = true;
  break;
  if(UserExistInGroup)
  break;
  if(UserExistInGroup)
  //code
  function onQueryFailed(sender, args) {
  alert('Request failed. ' + args.get_message() + '\n' + args.get_stackTrace());
  The code works fine if i log-in as a site collection owner. If i log-in as any other user having contribute access on site I get following error message
  "Access Denied. You do not have permission to perform this action or access this resource."
  What permission do i need to give users so that they can loop through all site groups and users?
  Thanks,
  Ameya

  Hey,
  Please check group settings for your group and set below property
  Who can view the membership of the group? to Everyone. It may resolve access related issue.
  Thanks. Please mark it as answer if it helps.

• Programatically Check if the logged in user is in the Administrators group in Project Server (C#, VS2010)

  Hi I would like to be able to check if the logged in user is a member of the administrator group programatically through c#
  I know that I can get the user's GUID / check if they are actually a user in project server (resource table in reporting DB) but I am having trouble finding out how to programatically check if they are a member of the "Administrators" group.
  Could somebody please provide a code sample of how to check if a user is in the administrators group when you have their GUID or username or name?
  I did not see a table in the reporting DB that has this so I am guessing this has to be done through the PSI..
  Thanks in advance!
  BTW.. i am just wondering is there a way to check each groups permission levels? was wondering that if it is possible, what is the best way to implement a similar security model to that of the actual project server 2010

  hi Amit :) I ended up finding the answer myself before you posted here but thank you for your reply anyways, it is basically the same thing that I did.
  This is what I ended up doing :) Basically I have three different types of users configured in my web.config - admins, readwrite users, and read only users. In my code here I loop through and find out who the person is. Based on what group they are in I
  can later show/hide different options in my application :)
  SvcSecurity.SecurityClient security = new SecurityClient(ENDPOINT_PROJ_SECURITY);
  string adminGroupsString = ConfigurationManager.AppSettings["adminGroups"];
  string readWriteString = ConfigurationManager.AppSettings["readWriteGroups"];
  string readOnlyString = ConfigurationManager.AppSettings["readOnlyGroups"];
  List<string> adminGroups = new List<string>(adminGroupsString.Split(';'));
  List<string> readWriteGroups = new List<string>(readWriteString.Split(';'));
  List<string> readOnlyGroups = new List<string>(readOnlyString.Split(';'));
  List<Guid> adminGroupIDs = new List<Guid>();
  List<Guid> readWriteGroupIDs = new List<Guid>();
  List<Guid> readOnlyGroupIDs = new List<Guid>();
  List<Project> projectList = new List<Project>();
  SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["RDB"].ConnectionString);
  con.Open();
  SqlCommand command = new SqlCommand("SELECT * FROM MSP_EpmResource where ResourceNTAccount = @username", con);
  command.Parameters.AddWithValue("@username", this.User.Identity.Name);
  SqlDataReader reader = command.ExecuteReader();
  if (reader.Read())
  string resourceID = reader["ResourceUID"].ToString();
  //Get a list of security groups
  SvcSecurity.SecurityGroupsDataSet sgds = security.ReadGroupList();
  //Get the IDs of the required groups
  foreach (SvcSecurity.SecurityGroupsDataSet.SecurityGroupsRow ds in sgds.SecurityGroups)
  if (adminGroups.Exists(group => ds.WSEC_GRP_NAME == group))
  adminGroupIDs.Add(ds.WSEC_GRP_UID);
  else if (readWriteGroups.Exists(group => ds.WSEC_GRP_NAME == group))
  readWriteGroupIDs.Add(ds.WSEC_GRP_UID);
  else if (readOnlyGroups.Exists(group => ds.WSEC_GRP_NAME == group))
  readOnlyGroupIDs.Add(ds.WSEC_GRP_UID);
  bool isAdmin = false;
  //Go through each group using the id and check if the current
  //user is in that group (for example here check if the user is an admin)
  foreach (Guid id in adminGroupIDs)
  SecurityGroupsDataSet group = security.ReadGroup(id);
  foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
  if (member.RES_UID.ToString().Equals(resourceID))
  isAdmin = true;
  Session["createReport"] = "true";
  break;
  //If the user is not an admin then continue checking who they are
  if (!isAdmin)
  bool readWrite = false;
  //Check if the user is a read write group member
  foreach (Guid id in readWriteGroupIDs)
  SecurityGroupsDataSet group = security.ReadGroup(id);
  foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
  if (member.RES_UID.ToString().Equals(resourceID))
  Session["createReport"] = "true";
  readWrite = true;
  break;
  //If the user is not a read write group member either then check if they are a team member
  if (!readWrite)
  foreach (Guid id in readOnlyGroupIDs)
  SecurityGroupsDataSet group = security.ReadGroup(id);
  foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
  if (member.RES_UID.ToString().Equals(resourceID))
  Session["createReport"] = "false";
  break;
  Cheers! :)

• Check drop down value with the sharePoint Group User In sharepoint 2010

  Hi,
  We have one requirement, When user selects any value from the Drop down we need to compare that value to the SharePoint Group.
  If that User is there in the group then only user allow to add new item to the list otherwise we need to display message(i.e. U r not a correct person).
  We used below code:
  public static bool IsUserMemberOfGroup(SPUser user, string grpname)
  bool result = false;
  if (!String.IsNullOrEmpty(grpname) && user != null)
  foreach (SPGroup group in user.Groups)
  if (group.Name == grpname)
  // found it
  result = true;
  break;
  return result;
  IsUserMemberOfGroup(ddlusers.selected value,"GrpName")
  But it's showing error.

  With regards to the error message: I'm assuming you are not using SPUser objects within the dropdown and that the first parameter you are passing is missing the . (period) between selected and value is just a typo.
  IsUserMemberOfGroup(ddlusers.selected value,"GrpName")
  Assuming that, it may be because (for the first parameter of IsUserMemberOfGroup) you are trying to pass in a string value (ddlusers.selected.value) when it is expecting an SPUser object.
  Two options (both requiring you to convert string to SPUser) are:
  1. Before you call the function convert the string to an SPUser object then pass in the SPUser
  2. Modify the first parameter of the function to be a string and do the conversion within the function (probably what I would do as more reusable).
  To convert to an SPUser it depends on what is listed within the drop down.
  If it is usernames then you can do something like: SPUser user
  = SPContext.Current.Web.EnsureUser(ddlusers.selected.value);
  If it is something else (not usernames) then you would need to workout how to convert to SPUser.
  A bit confused on what you are trying to achieve here - what if I select another user in the list that isn't me? Can I then add something to the list?