BPuhl’s Blog

A little bit of everything without actually being much of anything

Is the user in the group?

Posted by BPuhl on May 10, 2008

Initial disclaimer:  I am not a developer.  I don’t even play one on TV.

However, now that that’s out of the way, since I am “the AD guy” who’s usually around in MS IT, and am more often than not willing to answer questions (whether I know the answer or not), I tend to get a lot of questions around programs interacting with AD.  One question, which I’ve been asked at least 3 times (in various forms) in the past few months, goes something like this:

“When a user comes to my application, query the member attribute of the security group that we want, and then loop through it to see if the user is a member.  This worked great until we expanded our pilot, and there are now 7,000 members of the group.  Is there a more performant way of doing this?  We have tried using isMemberOf, but that doesn’t work so well either”

Now, I figure there are probably better ways built into the OS to do this to begin with, but then again, maybe not…  At least not in the “edge case” territory, which is where I often seem to live.  The reply that I’ve started to give, goes something like this:

If all you really care about, is whether the user is a member of a specific group, then that’s what you should ask AD. 

 

More specifically, you should change your code so that it gets the distinguished name of the user, and then query AD for “all security groups, with the name <your group here>, that contain user <userDN>.  To see if BPuhl is a member of the FooBar security group, it would look something like this:

 

First, get the DN for BPuhl:  cn=bpuhl,ou=users,dc=ms,dc=com

 

Second, check to see if there is a group that he’s a member of:

       (&(cn=foobar)(member=cn=bpuhl,ou=users,dc=ms,dc=com))

                 or

       (&(samAccountName=foobar)(member=cn=bpuhl,ou=users,dc=ms,dc=com))

 

Depending on how they “know” the name of their group, either way the performance is the same

 

With this query though, If you get an object back from AD, then the object will be your security group, and you will implicitly know that the user was a member.  If the user isn’t a member, then AD will return back nothing, because there “are no security groups with a name of foobar that contain user bpuhl”

I’m sure there are better ways of doing this, but I get the impression that they become implementation specific, etc… and the folks who are usually asking the question are IT pro’s instead of developers, and tend to be fairly light, even on .NET stuff.

If anyone else has a better answer to this question though, I’d love to hear it!

Advertisements

5 Responses to “Is the user in the group?”

  1. token groups

  2. BPuhl said

    Thanks for the reply Brian –

    I had completely forgot about token group. But the few times I’ve used that attribute, it’s to give me, “which groups is my user a member of?”, which is slightly different than “is my user a member of this group”.

    I think the important distinction, is that token groups expands the token which includes nested security groups. In the cases where I’ve been asked, these were simple cases of “user in group”, rather than users in groups, nested in other groups.

  3. Laura said

    Depending on what the code needs to -do- with that information, you can always take the “Easier to ask forgiveness…” coding approach, depending on how unacceptably non-performant it is to loop through that group. In other words, what’s the reason the code want to know if BPuhl is a member of FooBar? If the application is simply creating some sort of view of stuff that BPuhl gets to see, but the security decision is being made elsewhere (through NTFS perms or whatever), just try to do it and catch the failure.

    Try {
    // Let BPuhl see this stuff
    }
    Catch (AccessDeniedException ade) {
    // Clearly BPuhl doesn’t have the necessary perms to do what we just tried
    // to do on his behalf. Fail gracefully.
    }
    Catch (LauraIsAnIdiotException liaie) {
    // Mandatory Laura-shouldn’t-be-writing-production-level-code exception
    }

    Doing this also allows the security provider to be a lot more transparent to the code – if the FooBar group is suddenly no longer the security arbiter that determines whether BPuhl gets access to that stuff in favor of the new and improved FluffyBunny group, it won’t require a code change.

    If the code in question actually -is- the arbiter of what stuff BPuhl gets to see, then clearly this falls down like the cheap hack that it is. 🙂

  4. Limey invasion force [team leader] said

    Don’t forget primary group membership …

  5. Take a look at Authorization Manager (AZMan — think Man from Arizona)
    http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAuthorizationManager.html
    http://blogs.msdn.com/azman/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: