Tuesday, September 20, 2005

Expanding Group Membership in .NET 2.0

We have some new options available to us in .NET 2.0 to discover a user’s group membership.  I ran into an entry on Dominick’s blog about expanding group membership using the new IdentityReference class.  This technique assumes you can get a WindowsIdentity for the user you wish to expand.  I previously covered two other techniques here and here.

I use yet another 3rd technique similar to this in the book that actually takes the ‘tokenGroups’ attribute for any user in AD and expands the membership using the IdentityReference.  It is the most elegant of the 3 methods, IMO.

One note on Dominick’s code: a way to further optimize this is to use .Translate on the IdentityReferenceCollection so that the call is batched under the hood.

Comments [5] September 20, 2005 Trackback  #

Tuesday, October 04, 2005 5:09:41 PM (Eastern Standard Time, UTC-05:00)
RP - your blog rules!
Moh | mohammadAT NOSPAMnjkholding dot com
Tuesday, October 11, 2005 3:14:16 PM (Eastern Standard Time, UTC-05:00)
hi,

how exactly do you want to optimize the code??

cheers
dominick
dominick
Tuesday, October 11, 2005 3:47:05 PM (Eastern Standard Time, UTC-05:00)
Hi Dominick,

List /string/ getGroups(WindowsIdentity id)
{
List/string/ groups = new List=/string/();
IdentityReferenceCollection irc = id.Groups.Translate(typeof(NTAccount));

foreach (NTAccount nt in irc)
{
groups.Add(nt.Value);
}
return groups;
}

Simply call the .Translate from the IdentityReferenceCollection similar to above. This should batch your call instead of making multiple calls in the foreach loop, IIRC.

Sorry, comments won't allow angle brackets, so they are replaced above.
Ryan
Tuesday, October 11, 2005 4:10:19 PM (Eastern Standard Time, UTC-05:00)
but under the covers, this is the same code, right?
dominick
Wednesday, October 12, 2005 9:15:39 AM (Eastern Standard Time, UTC-05:00)
If you mean does the same code run, then the answer is yes, of course. However, the conversion from SID to NT Account format is done using the LsaLookupSids API call. This call takes an array of SIDs. So, if you supply an array of SIDs (by calling Translate() from the collection) it will do the conversion in one call. If you put it in a loop, it must make the call n times with exactly 1 item in the array to be converted. The designers were smart in their implementation, and I suspect that is the sole purpose of putting the .Translate() method on the collection to begin with. Sorry if I was being confusing.
Ryan
Comments are closed.