Validate if a user is a member of group in AD
How do I verify whether a user is a member of "Department" group or not in Active directory using powershell?
I can see the member by going to properties -- Member of -- and can see all the members of users.
How do i do the same in Powershell?
Hi,
Here's an example you can build from:
$userToCheck = 'tester1'
$users = Get-ADGroupMember -Identity 'Test Group 1'
If ($users.SamAccountName -contains $userToCheck) { Write-Host "$userToCheck is a member of the group" }
Else { Write-Host "$userToCheck is NOT a member of the group" -ForegroundColor Red }
Don't retire TechNet! -
(Don't give up yet - 12,700+ strong and growing)
Similar Messages
-
713060: Tunnel Rejected: User (user) not member of group (group_name), group-lock check failed.
Hi,
I just configure VPN for end users in PIX515e with IOS 8 and get stuck with "Tunnel Rejected: User (msveden) not member of group (VPN-shared), group-lock check failed.". Can someone please help me and tell me how I add user to my VPN group?
Regards
MikaelMay be you are looking for this-
ASA1(config)# username msveden attributes
ASA1(config-username)# group-lock value mygroup
Thanks
Ajay -
Active Directory users not made member of Local Network group
Hi all,
I've just done a clean install from 10.6 Server to 10.8.4.
The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
The Setup:
In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
Members in that group are:
- AD-Domain User Group (so should be all users in the domain)
- MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
- AD User 1
- AD User 2
- AD User 3
The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
The Behaviour:
AD User 1 can access AFP and other services as expected.
AD User 2 and 3 cannot.
Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
Yet other users within AD-Domain User Group or netaccounts cannot
Furthermore:
If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group. I can still login with that account!
Diagnosis:
I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
>dseditgroup -o checkmember -m ADUser1 accessserver
yes ADUser1 is a member of accessserver
>dseditgroup -o checkmember -m ADUser2 accessserver
no ADUser2 is NOT member of accessserver
>dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
yes ADDomainUser/netacc is a member of accessserver
>dseditgroup -o checkmember -m n accessserver
no ADUser2 is NOT member of accessserver
When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
I get the same results even after removing the user from the Groups screen!
Failed Solutions
- As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
- I've let the system just sit, in hopes delayed replication would solve the problem overnight.
- I've deleted and recreated the groups.Upon further investigation we have discovered:
a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
b) This is NOT limited only to MacOS X Server 10.8. The same behaviour is occuring on a long-running 10.6 server as well.
c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually. If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
d) Which users are allowed and which are not is unclear and appears generally random. We have found 3 'classes' of users:
1 - those that are successfully becoming members every time.
2 - those that are intermittent members. Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
3 - those that are never successfully admitted as a member.
So the problem is both Apple's and Windows in that:
Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
Windows: Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
Really hoping people have some ideas on this. This system of nested groups or individual user access is something we have of course being using for many years. So this is a major setback. -
Hi,
I need VB script which to checks the perticular user in AD and if it exists;that user needs to be removed from the member of perticular group
Ex:- Lets say
I have a user 783562 , I need to search this user in AD to verify user exists or not. If not then I no need to remove the mebership from perticular group
Second scenario:-
If user exists then I need to remove the user membership from the perticular group.I want to do it in automation
Manual Path:-
1.Type dsa.msc in run command of IT session(we using it to connect remote desktop).
2. Select the domain & right click (EX:-corp.ds.xxyyzz.com) and select "Find" to find the user form the domain.
3. Type the user name in the Name field and click on "Find Now" button user name will be displayed in search result.
4. Double click on this user ID and select "Member Of" tab.
5. Select any member of group from the Name section then click on "Remove" button.
6. Finally click on "Apply" and "OK" button.
Kindly help me out to do this by using vb script.
Thanks
RajaUsage: CScript NameOfVBS.vbs //NOLOGO /User:Jane.Doe /GroupDN:CN=Group1,DC=Contoso,DC=com
Option Explicit
On Error Resume Next
Dim str_User
Dim str_GroupDN
Dim obj_Connection
Dim obj_Command
Dim obj_RootDSE
Dim str_DNSDomain
Dim str_Base
Dim str_Filter
Dim str_Attributes
Dim str_Query
Dim obj_RecordSet
Dim obj_Group
Dim str_ADsPath
Dim obj_User
str_User = WScript.Arguments.Named("User")
str_GroupDN = WScript.Arguments.Named("GroupDN")
If Len(Trim(str_User)) > 0 And Len(Trim(str_GroupDN)) > 0 Then
Set obj_Connection = CreateObject("ADODB.Connection")
Set obj_Command = CreateObject("ADODB.Command")
obj_Connection.Provider = "ADsDSOOBject"
obj_Connection.Open "Active Directory Provider"
Set obj_Command.ActiveConnection = obj_Connection
Set obj_RootDSE = GetObject("LDAP://RootDSE")
str_DNSDomain = obj_RootDSE.Get("defaultNamingContext")
str_Base = "<LDAP://" & str_DNSDomain & ">"
str_Filter = "(&(objectCategory=person)(sAMAccountName=" & str_User & "))"
str_Attributes = "cn,ADsPath"
str_Query = str_Base & ";" & str_Filter & ";" & str_Attributes & ";subtree"
obj_Command.CommandText = str_Query
obj_Command.Properties("Page Size") = 1000
obj_Command.Properties("Timeout") = 1
obj_Command.Properties("Cache Results") = False
Set obj_RecordSet = obj_Command.Execute
obj_RecordSet.MoveFirst
If obj_RecordSet.RecordCount = 0 Then
WScript.Echo str_User & " was not found"
Else
Set obj_Group = GetObject("LDAP://" & str_GroupDN)
str_ADsPath = obj_RecordSet.Fields("ADsPath")
Set obj_User = GetObject(str_ADsPath)
obj_Group.Remove(obj_User.AdsPath)
If Err.Number = 0 Then
WScript.Echo str_User & " was removed from group " & str_GroupDN
ElseIf Err.Number = -2147016651 Then
WScript.Echo str_User & " not a member of group " & str_GroupDN
Else
WScript.Echo str_User & " error removing from group " & str_GroupDN
End If
End If
End If -
IAC 3.1.1 users who are member of more than one OrgUnit are not able to order services?
Hi,
Power Down, Power Cycle, Take Snapshot and Decommission services are not working for users who are member of more than one organization!!
Error Message:
The service form could not be submitted because of following error: [newscale][SQLServer JDBC Driver][SQLServer]Conversion failed when converting the nvarchar value '1,2' to data type int.
Thanks,
MazHi,
Power Down, Power Cycle, Take Snapshot and Decommission services are not working for users who are member of more than one organization!!
Error Message:
The service form could not be submitted because of following error: [newscale][SQLServer JDBC Driver][SQLServer]Conversion failed when converting the nvarchar value '1,2' to data type int.
Thanks,
Maz -
Hello everyone,
I have to bind our application from ActiveDirectory to eDirectory. Is
there a simple way to determine if the currently logged in user is a
member of a group?
In ActiveDirectory this is really simple but in eDirectory (using the
LDAP C#-library) it seems that I always have to create LDAP strings
which always have to contain username and password (which is an
absolutely no-go in my opinion).
I found many articles to my problem but no one with an easy solution.
Perhaps someone got this running without the novell LDAP library through
Microsoft DirectoryServices-Namespace.
inno1
inno1's Profile: http://forums.novell.com/member.php?userid=109362
View this thread: http://forums.novell.com/showthread.php?t=437637-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A few things come to mind. First your authentication problem; binding
anonymously is definitely allowed in eDirectory, and is even allowed by
default, but that doesn't mean the environment you are hitting will allow
it. This is something you'll need to check with whomever setup the
eDirectory environment. The documentation should cover how to set
restrictions like anonymous binds.
Next we have what I'm guessing is how you are searching for the group. I
do not see how you are going to find either your group or your user in the
group using that code so I'll suggest something else that I think is
better taking advantage of the power of eDirectory and LDAP. First a
little more information about eDirectory. By default group memberships
are shown on both the group and user sides so you can either query the
entire directory for groups that have users in their 'members' attribute,
or you can go to the user and simply get a listing of all of the values in
the groupMembership attribute. This is the best way, in my opinion, to
see if a user is a member of a group.
Now, about finding the user. In LDAP environments objects are found by
full DNs, not just their relative DNs or usernames. If you do not have a
full DN (users seldom know the full DN or use them) the first step is to
find these, which you can do with a search like you are doing, although
hopefully you wouldn't need to loop through results. Having a query like
the following should find the user in one shot in a well-designed environment:
(&(objectClass=inetorgperson)(cn=userNameHere))
Once you have found the resulting DN of the user you can find the
groupMembership attribute and either use the full set of values in that
attribute or you can iterate through the values looking for the group DN.
For both user and group you must use the full DN to verify membership.
Good luck.
On 04/28/2011 02:36 AM, inno1 wrote:
>
> ab;2100491 Wrote:
>> The check for is a user is a member of a group does not require the
>> password...I ask because the samples from the LDAP-library (ListGroup.cs, for
> example) all seem to require a password. The samples check the number of
> command line arguments and if something is missing the program does not
> work.
>
> ab;2100491 Wrote:
>> what do you mean[..]
> I need a function like
> Code:
> --------------------
> bool UserIsMemberOf(string groupName) {}
> --------------------
> to determine if a user is a member of a group.
>
> I get the userName from Environment.UserName and the groupName the user
> has to be a member of is configured somewhere in my application.
>
> In ActiveDirectory I just connect to LDAP://RootDSE and everything
> works fine.
>
> ab;2100491 Wrote:
>> [..] and what does your code look like?
> I used the 'Using .NET C# LDAP Library'
> (http://www.novell.com/coolsolutions/...e/11204.html):
>
>
> Code:
> --------------------
> Anonymous Binding
>
> // C# Library namespace
> using Novell.Directory.Ldap;
>
> // Creating an LdapConnection instance
> LdapConnection ldapConn= new LdapConnection();
>
> //Connect function will create a socket connection to the server
> ldapConn.Connect (ldapHost,ldapPort);
>
> //Bind function with null user dn and password value will perform anonymous bind
> //to LDAP server
> ldapConn.Bind (null, null);
> --------------------
>
> After this ldapConn.Bound is false. Is this correct? It could be
> correct because I didn't really authenticate when doing anonymous
> binding but it could be also wrong because even an anonymous bind should
> be a form of authentication.
>
> I also tried Identity Bind:
>
>
> Code:
> --------------------
> Binding using an Identity
>
> // C# Library namespace
> using Novell.Directory.Ldap;
>
> // Creating an LdapConnection instance
> LdapConnection ldapConn= new LdapConnection();
>
> //Connect function will create a socket connection to the server
> ldapConn.Connect(ldapHost,ldapPort);
>
> //Bind function will Bind the user object Credentials to the Server
> ldapConn.Bind(userDN,userPasswd);
> --------------------
> After this, ldapConn.Bound is true but the user has to give a password.
> I don't want the user to have to use a password because in this case the
> user has to configure it somewhere in the configuration of my
> application.
>
> Then - for testing purposes - I wrote a function to get the users of a
> group:
>
>
> Code:
> --------------------
> LdapSearchResults lsc=ldapConn.Search("ou=Users,o=DomainAdmins", LdapConnection.SCOPE_ONE, "objectClass=*", null, false);
>
> string result = String.Empty;
>
> while (lsc.hasMore()) {
> LdapEntry nextEntry = null;
>
> try {
> nextEntry = lsc.next(); // <--- EXCEPTION: see [1]
> } catch(LdapException e) {
> result = String.Concat(result, "Error: ", e.LdapErrorMessage, Environment.NewLine);
> // Exception is thrown, go for next entry
> continue;
> }
>
> result = String.Concat(result, nextEntry.DN, Environment.NewLine);
>
> LdapAttributeSet attributeSet = nextEntry.getAttributeSet();
> System.Collections.IEnumerator ienum = attributeSet.GetEnumerator();
>
> while(ienum.MoveNext()) {
> LdapAttribute attribute=(LdapAttribute)ienum.Current;
> string attributeName = attribute.Name;
> string attributeVal = attribute.StringValue;
> result = String.Concat(result, attributeName, "value:", attributeVal, Environment.NewLine);
> }
> }
> --------------------
>
>
> [1] "00000000: LdapErr: DSID-0C090627, comment: In order to perform
> this operation a successful bind must be completed on the connection.
>
> I think this is the problem:
>
>
> Code:
> --------------------
> LdapSearchResults lsc=ldapConn.Search("ou=Users,o=DomainAdmins", LdapConnection.SCOPE_ONE, "objectClass=*", null, false);
> --------------------
>
>
> So, how does this have to look for a domain named "MyDomain.com" for a
> group named "DomainAdmins" if I want to get all members of this group?
>
> And how does this have to look if I want to know if a user named
> "myuser" is member of a group "mygroup" in domain "MyDomain.com"?
>
> I think this would help me a lot.
>
> ab;2100491 Wrote:
>> There may be a need for authentication that would require a
>> username/password but that depends on the rights you assign to your
>> tree
>> to allow (or deny) anonymous access.So, this is someone the customer has to configure I think. Since I only
> want to read from a domain it has to work some way without giving a
> password.
>
> ab;2100491 Wrote:
>> Good luck.Thank you very much!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNujvFAAoJEF+XTK08PnB5Vn4QAJ8wDKZw5h Q5AWWkeMhKZ57U
DctNKO9Wl1xU3agTp+PjgFFCQMHTiME7/UFU7/KR+eyY0hgp9R6r0k2lK3iX1TFd
1Zwg0rkEjV+Pydy7vHk/LvqpoyWYKhrSGHhvkj/RChiIj1yEKR0rgAXGZG8NPemO
nIXJtPHQ8ZkH8ZrEGfL+25abIc5b0Ch5KXN76nSFRGORgqPRvO 2gpQW36KKj+Tfq
RZARJgBKyKaG4MOlatnS2ZNuAy1meI/1oTN/ouO8K1MR+Hey2ZvI85VUSlg3nG/z
fgj6QdIMj80KRnpgJCO4K7SFO6effHQaijRUIszz5xHxSEaPXv FcB/xPhRdedzxb
NKZu/rti0Jt3PABCG3nibbUcA05vbb6mLbufwDISJGXyUp5PK3533yT xoGFjkt1I
PL+p7ZpL4Q5s4wHBGME0y579V5EfncqqUsFh2aONzhIAmOSxu0 huaqcLG5QWmQnQ
HMn8+npkdlyGGJy4hslpyoTQefYNsn7PdXig1KAMEZjQHGlI1S WJf/hsztcP4/jM
Zf8oKMZz/35+EphCgRgXl0h5gOFk+WpxHRJ8NyAVLZioV4mcUwBzLDD7d9z lW47/
SZxxlIOKpFB1c0FokkFR2SBteDsd4dzfMPgD7MTDBNj174u7wn y3LkSvWfPTDjBS
12SwchOZ+PPL3PxfsUNc
=/n4u
-----END PGP SIGNATURE----- -
• I am an experienced user and CC member. My request is that I be allowed to download the InDesign CC app please., even though I previously mistakenly downloaded InDesign CC (2014) TODAY…and later had to un-install it. PLEASE DIRECT ME TO A PAGE WHICH HAS THAT BUTTON AVAILABLE. I was unable to open and use InDesign CC 2014!!! It repeatedly caused freezes etc from which I could not be "untangled". (Im using Mac OSX-Lion 10.7.5)
I take it you want to download InDesign CC 9.2 (the version before InDesign CC 2014). You can do so from the Creative Cloud desktop app. Below the list of apps you've installed, there is a menu that lists previous versions:
-
Listing users that are member of special role
hello
if i have a role that called role1 then how i can list users that are member of this role?
thanksTry Pete Finnigans who_has_role.sql
http://www.petefinnigan.com/tools.htm -
Check if a user is a member of a specific group in AD
Hello guys,
I'm working on a c# webpart which alows users to sign in for lunch.
Basically i want to find if the current logged in user is in a specific group in AD, and then insert that group name into a list. could anyone give me any pointers?! Many thanks!
Mattpublic class ADGroupMembership : WebPart
protected override void CreateChildControls()
if (!this.Visible) return;
foreach (string str in GetCurrentUserGroups())
if (string.Compare(str, "Everyone") == 0)
// allow logic
LiteralControl ctrl = new LiteralControl("User is OK");
this.Controls.Add(ctrl);
break;
base.CreateChildControls();
public List<string> GetCurrentUserGroups()
List<string> groups = new List<string>();
foreach (System.Security.Principal.IdentityReference group in System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups)
groups.Add(group.Translate(typeof(System.Security.Principal.NTAccount)).ToString());
return groups;
Source:
http://www.codeproject.com/KB/system/everythingInAD.aspx -
Check if user is part of AD group using System.DirectoryServices.AccountManagement namespace
I am trying to validate a user from SharePoint to see if a user exists within an AD group. SharePoint does not allow you to do this so I am using the:
using
System.DirectoryServices.AccountManagement;
to validate user existance within that AD group. I found the following method that allows me to validate but bombing on me:
public bool IsUserInGroup(string username, string groupname, ContextType type)
PrincipalContext context = new PrincipalContext(type);
UserPrincipal user = UserPrincipal.FindByIdentity( context, IdentityType.Name, username);
GroupPrincipal group = GroupPrincipal.FindByIdentity(context, groupname);
return user.IsMemberOf(group);
When I call my method, i get
An operations error occurred.
I read that it might be an impersination error but I have my web.config set up already with:
<
authentication mode="Windows" />
<
identity impersonate="true" />
Any suggestions from someone that has worked with that namespace on SharePoint? I just want to plainly check to see if a user is part of a certain group on AD from SharePoint.
Victor Palma“An operations error occurred. “ may suggest a COMException is occurred.
I wrote an simple console application that works:
static void Main(string [] args)
Console .WriteLine(IsUserInGroup("Administrator" , "Domain Admins" ));
public static bool IsUserInGroup(string username, string groupname)
var foundUser = false ;
var context = new PrincipalContext (ContextType .Domain, "DC" );
var group = GroupPrincipal .FindByIdentity(context, groupname);
if (group == null )
context.Dispose();
throw new Exception ("Group could not be found: " + groupname);
// GetMembers(true) is recursive (groups-within-groups)
foreach (var member in group.GetMembers(true ))
try
if (member.SamAccountName.Equals(username))
foundUser = true ;
break ;
catch (Exception )
// One of the members could not be retrieved, moving on...
group.Dispose();
context.Dispose();
return foundUser;
Reference:
Recursive Active Directory group membership using System.DirectoryServices in .NET 3.5(http://www.lessanvaezi.com/recursive-active-directory-group-membership-using-system-directoryservices-in-net-3-5/)
Another important notice:
How to use the System.DirectoryServices namespace in ASP.NET(http://support.microsoft.com/default.aspx/kb/329986)
Keep It Simple and Stupid. -
User not displayed under a Group
HI All,
We are using BOXIR2 SP2 with .NET and have configured Windows AD authentication.
A user belongs to multiple groups. Some times a user may belong to 14- 20 groups. All these groups are added in CMC.
The issue is when I do a manual update of the AD graph some user accounts are not being updated. The only fix I have right now is to restart the CMS.
Also, when we see the properties of a UserA and check Member of we can see it belongs to GroupA.
But when we see the propertis of the same GroupA and check Users, the UserA is not displayed.
Could you please help me with this as this is our Production box and restarting the CMS is not a good solution.
Thanks in advance for your help,
VIf you are unable to resolve then you should open a message with support (authentication team) Issues like this typically require considerable tracing and analysis or the CMS and packet scans. We have never reproduced a bug with the AD plugin so in most cases the problem is usually in the configuration or AD setup. It's unlikely that changing the graph timeout will make any difference if the update is not occurring when you press update in CMC > Auth > AD.
Regards,
Tim -
GPO not applying to all users in the same security groups
If Elaine logs in on Angie's PC does it work?
Using Windows Server 2008 R1. I have a single domain with two DCs (both Server 2008 R1). Both DCs seem to be communicating without issues, as changes on one DC are replicating normally to the other for all services.I have a group policy set up to set drive mapping for my users. However when I run the GP modeling wizard only a few of the users receive the proper mappings. In this specific instance I have two users, Elaine and Angie. 1. Both are members of the Domain Users security group and another security group I created called Staff2. Neither user is a member of any other security groups.3. My group policy Security Filtering setting is set to apply the policy ONLY to the Staff security group4. When running the GP Results Wizard, Elaine's computer successfully processes the policy, but Angie's does not, and returns "Access Denied...
This topic first appeared in the Spiceworks Community -
Deploy applications/app-v packges: uninstall when not member of group/collection?
Hi,
Howto make sure an application/app-v package gets uninstalled when a user isn't member of the target group/pc isn't member of the targetted collection?
J.
Jan HoedtLet's say you create these two collections with the deployments as described:
Resource ... MyComputer1
Collection ... 7-Zip Install Collection
Deployment ... Action: Install
Application ... 7-Zip
Resource ... MyComputer1
Collection ... 7-Zip Uninstall Collection
Deployment ... Action: Uninstall
Application ... 7-Zip
Since MyComputer1 has both an Install and an Uninstall deployment, the Application will get Installed (uninstall deployments lose if there are both). However, if you were to remove MyComputer from the 7-Zip Install Collection, there would only be an
Uninstall deployment left.
While you would never want to micromanage 7-Zip this much, technically it would achieve what you are looking for with an application that needed this level of management.
Nash Pherson, Senior Systems Consultant
Now Micro -
My Blog Posts
If you found a bug or want the product to work differently,
share your feedback.
<-- If this post was helpful, please click the up arrow or propose as answer. -
Search for specific user in an Active Directory group
Hello,
I have an OU containing a number of Groups. Each group contains a number of members.
I'm currently retrieving the entire list of members from each group by searching for the members attrib for each group. This is not an ideal approach as the query execute time is a bit too long.
from what I can tell, the group class is group (opposed to a groupofuniquenames). Is there a way to query for the specific member?
ThanksThanks for the reply.
I have read the first post you gave, but not the second. I'm off to read that now.
My main concern is that I don't have access to the DN of the user in the member attrib. I have access to their CN and uid (which is indexed). From what I can recall from when I last updated this code, I couldn't create a wildcard search filter e.g.,:
(&(cn=All Scientists)(objectClass=Group)(member=CN=Albert Einstein*))
If that's correct and I require a DN, is there any way around this?
I was interested in the posixGroup and groupOfUniqueNames classes. I wasn't aware that these were available through Active Directory, but I see them listed in the AD schema (http://msdn.microsoft.com/en-us/library/ms683908(VS.85).aspx).
If I'm correct, posixGroup would allow for a filter of (&(cn=All Scientists)(objectClass=posixGroup)(memberUid=AEinstein))
I'm not sure how typical it is to use the posixGroup class in AD and I'll have to check with my AD team before moving forward with this. But I wanted to get some more direction/ideas before asking them to create some posixGroup objects for me.
I'm now going to go and read the second post you linked, but I wanted to put the rest of my details out there.
Thanks again. -
Hi I would like to be able to check if the logged in user is a member of the administrator group programatically through c#
I know that I can get the user's GUID / check if they are actually a user in project server (resource table in reporting DB) but I am having trouble finding out how to programatically check if they are a member of the "Administrators" group.
Could somebody please provide a code sample of how to check if a user is in the administrators group when you have their GUID or username or name?
I did not see a table in the reporting DB that has this so I am guessing this has to be done through the PSI..
Thanks in advance!
BTW.. i am just wondering is there a way to check each groups permission levels? was wondering that if it is possible, what is the best way to implement a similar security model to that of the actual project server 2010hi Amit :) I ended up finding the answer myself before you posted here but thank you for your reply anyways, it is basically the same thing that I did.
This is what I ended up doing :) Basically I have three different types of users configured in my web.config - admins, readwrite users, and read only users. In my code here I loop through and find out who the person is. Based on what group they are in I
can later show/hide different options in my application :)
SvcSecurity.SecurityClient security = new SecurityClient(ENDPOINT_PROJ_SECURITY);
string adminGroupsString = ConfigurationManager.AppSettings["adminGroups"];
string readWriteString = ConfigurationManager.AppSettings["readWriteGroups"];
string readOnlyString = ConfigurationManager.AppSettings["readOnlyGroups"];
List<string> adminGroups = new List<string>(adminGroupsString.Split(';'));
List<string> readWriteGroups = new List<string>(readWriteString.Split(';'));
List<string> readOnlyGroups = new List<string>(readOnlyString.Split(';'));
List<Guid> adminGroupIDs = new List<Guid>();
List<Guid> readWriteGroupIDs = new List<Guid>();
List<Guid> readOnlyGroupIDs = new List<Guid>();
List<Project> projectList = new List<Project>();
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["RDB"].ConnectionString);
con.Open();
SqlCommand command = new SqlCommand("SELECT * FROM MSP_EpmResource where ResourceNTAccount = @username", con);
command.Parameters.AddWithValue("@username", this.User.Identity.Name);
SqlDataReader reader = command.ExecuteReader();
if (reader.Read())
string resourceID = reader["ResourceUID"].ToString();
//Get a list of security groups
SvcSecurity.SecurityGroupsDataSet sgds = security.ReadGroupList();
//Get the IDs of the required groups
foreach (SvcSecurity.SecurityGroupsDataSet.SecurityGroupsRow ds in sgds.SecurityGroups)
if (adminGroups.Exists(group => ds.WSEC_GRP_NAME == group))
adminGroupIDs.Add(ds.WSEC_GRP_UID);
else if (readWriteGroups.Exists(group => ds.WSEC_GRP_NAME == group))
readWriteGroupIDs.Add(ds.WSEC_GRP_UID);
else if (readOnlyGroups.Exists(group => ds.WSEC_GRP_NAME == group))
readOnlyGroupIDs.Add(ds.WSEC_GRP_UID);
bool isAdmin = false;
//Go through each group using the id and check if the current
//user is in that group (for example here check if the user is an admin)
foreach (Guid id in adminGroupIDs)
SecurityGroupsDataSet group = security.ReadGroup(id);
foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
if (member.RES_UID.ToString().Equals(resourceID))
isAdmin = true;
Session["createReport"] = "true";
break;
//If the user is not an admin then continue checking who they are
if (!isAdmin)
bool readWrite = false;
//Check if the user is a read write group member
foreach (Guid id in readWriteGroupIDs)
SecurityGroupsDataSet group = security.ReadGroup(id);
foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
if (member.RES_UID.ToString().Equals(resourceID))
Session["createReport"] = "true";
readWrite = true;
break;
//If the user is not a read write group member either then check if they are a team member
if (!readWrite)
foreach (Guid id in readOnlyGroupIDs)
SecurityGroupsDataSet group = security.ReadGroup(id);
foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
if (member.RES_UID.ToString().Equals(resourceID))
Session["createReport"] = "false";
break;
Cheers! :)
Maybe you are looking for
-
Hello, When opening up the planning layout, the Excel layout opens a "read only" with Excel 2010. It is working fine with Excel 2003 and 2007. Could someone please advice if you have come across a similar issue and how you hav resolved the same. Rega
-
Ios7 podcast playback speeds not working in Nissan Leaf
In ios6, I was able to control my iphone 4 through the stock radio (via usb sync cable) and playback podcasts at 1.5x or 2x speed. after upgradeding to ios7, I can no longer playback podcasts at higher speeds when I use the radio to navigate to a pod
-
Next page on ACS Report = Page not found
Hi, I have ACS Appliance Release 3.3(3) Build 11. Everything works fine, except in the TACACS+ Accounting and TACACS+ Administration, in the Report menu. When I try to click on the next page, it says "Page not found". The other reports work fine. Is
-
How do I get inside my iMac G4?
Hi Guys, I have an iMac (G4 800 MHz) and it is getting slower and the fan is getting louder. I have been told to clean the fan but I cannot actualy get inside to do that. I am a bit slow myself so can anyone advise me as to how I can open up my iMac?
-
Hi, Does RSP720-3C-10GE with 7600-PFC3C-10GE of 7609-S chassis support NBAR?