Active directory: member and memberof properties relationship

active-directory

Modifying member attribute of a group in Active Directory (let's say with asdiedit), automatically modifies memberOf property of corresponding user?

And as secondary question, setting member in the allowedAttributesEffective of a group automatically adds the memberof in the allowedAttributesEffective attribute of all users?

I have no permission yet to modify member property, so I cannot test by myself.

Best Answer

Yes, if you modify member attribute of a group. It will automatically update the memberOf attribute.

memberOf attribute is called computed back-link attribute or constructed attribute. It's maintained and calculated by Active Directory. You cannot modify this attribute.

Similarly, allowedAttributesEffective is a computed attribute, reflecting the actual ACLs set on the AD object. You cannot set this attribute directly but you can modify the ACLs on the AD object. This attribute will reflect the fact.

There is no relationship between group's allowedAttributesEffective attribute and user's allowedAttributesEffective. They are independent. Setting ACL on group object won't affect the ACL on user object that the group contains.

Related Solutions

C# – Validate a username and password against Active Directory

If you work on .NET 3.5 or newer, you can use the System.DirectoryServices.AccountManagement namespace and easily verify your credentials:

// create a "principal context" - e.g. your domain (could be machine, too)
using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, "YOURDOMAIN"))
{
    // validate the credentials
    bool isValid = pc.ValidateCredentials("myuser", "mypassword");
}

It's simple, it's reliable, it's 100% C# managed code on your end - what more can you ask for? :-)

Read all about it here:

Update:

As outlined in this other SO question (and its answers), there is an issue with this call possibly returning True for old passwords of a user. Just be aware of this behavior and don't be too surprised if this happens :-) (thanks to @MikeGledhill for pointing this out!)

C# – WindowsPrincipal.IsInRole and universal vs. global active directory groups

I found no good answer to my question, what I had to do was to write a new Principal class that scanned the directory for all groups that the user belongs to, and recursivly scan all those groups to solve group-in-group memberships. Code provided for users with the same problem. It's not the prittiest code I've written, but atleast it works.

Use like this:

var wp = new WindowsPrincipalEx(WindowsIdentity.GetCurrent());
result = wp.IsInRole(@"domain\role");



public class WindowsPrincipalEx : IPrincipal
{
    // Dictionary to store all groups, key = uppercase groupname, value = groupname as entered in AD
    private Dictionary<string,string> completeGroupList = new Dictionary<string,string>();
    // Private vars
    private WindowsIdentity identity;
    private string domain;

    // Identity property
    public IIdentity Identity
    { 
        get { return identity; }
    }

    // Constructor, accepts identity
    public WindowsPrincipalEx(IIdentity identity)
    {
        this.identity = (WindowsIdentity)identity;
        // Find domain name and store it for filtering purposes
        if (identity.Name.Contains('\\'))
            this.domain = identity.Name.Substring(0, identity.Name.IndexOf('\\') + 1);

        // Find all groups this user belongs to, and store the list for later use
        getRoles(completeGroupList);
    }

    public bool IsInRole(string role)
    {
        // Remove domain
        if (role.StartsWith(domain, StringComparison.CurrentCultureIgnoreCase))
            role = role.Substring(domain.Length);
        return completeGroupList.ContainsKey(role.ToUpper());
    }

    private void getRoles(Dictionary<string,string> groupList)
    {
        // Find username and remove domain
        string name = Identity.Name.Replace(domain,"");

        // Find user in AD
        DirectorySearcher search = new DirectorySearcher("(&(sAMAccountName="+name+")(objectCategory=user))");
        search.PropertiesToLoad.Add("memberof");

        SearchResult result = search.FindOne();
        if (result != null)
        {
            // Add all groups to the groupList dictionary
            foreach (string s in result.Properties["memberOf"])
            {
                string[] elements = s.Split(new char[] { ',' });
                foreach (string e in elements)
                    if (e.StartsWith("CN=", StringComparison.CurrentCultureIgnoreCase))
                    {
                        if (!groupList.ContainsKey(e.Substring(3).ToUpper()))
                            groupList.Add(e.Substring(3).ToUpper(),e.Substring(3));
                        break;
                    }
            }
        }

        // Scan through all groups found, and find group on group memberships recursevly
        foreach (var ng in groupList.ToArray())
            getRolesInRoles(groupList, ng.Key);
    }

    private void getRolesInRoles(Dictionary<string, string> groupList, string roleName)
    {
        string name = roleName.Replace(domain, "");

        // Find group in AD
        DirectorySearcher search = new DirectorySearcher("(&(cn="+name+")(objectCategory=group))");
        search.PropertiesToLoad.Add("memberof");

        SearchResult result = search.FindOne();
        if (result != null)
        {
            // Add all groups to the groupList dictionary
            foreach (string s in result.Properties["memberOf"])
            {
                string[] elements = s.Split(new char[] { ',' });
                foreach (string e in elements)
                    if (e.StartsWith("CN=", StringComparison.CurrentCultureIgnoreCase))
                    {
                        if (!groupList.ContainsKey(e.Substring(3).ToUpper()))
                        {
                            groupList.Add(e.Substring(3).ToUpper(),e.Substring(3));
                            getRolesInRoles(groupList, e.Substring(3));
                        }
                        break;
                    }
            }
        }
    }
}

Best Answer

Related Solutions

C# – Validate a username and password against Active Directory

C# – WindowsPrincipal.IsInRole and universal vs. global active directory groups

Related Topic