Getting User Permissions From Active Directory In SharePoint Groups
https://stackoverflow.com/questions/9945779
-
28-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have been tasked with some SharePoint work that involves the following scenario.
The users are in an active directory group with permissions directly binded to the AD group in some cases and in some cases the AD group is assigned to a SharePoint group.
My question is hat how can I check the SPUser's permissions if the user is not directly assigned to a group/permission but is actually in the Active Directory group? I need to check the user's permission level.
For instance:
User: UserX Belongs to AD Group "SHAREPOINT_POWER_USERS" and this group has "Contribute" permissions and belongs to a SharePoint group "IT Support Group".
Would there be a way to programatically retrieve this as the user does not exist in advaned permissions or a sharepoint group? Can I access this by doing something like:
//Pseudocode to access groups
SPUser user = SPContext.Current.Web.CurrentUser;
SPGroupCollection collection = user.Groups;
Please let me know how this works.
Thanks.
Solution
Easy. Use SPUtility.GetPrincipalsInGroup.
There is a good example in an older post here: Getting members of an AD domain group using Sharepoint API
OTHER TIPS
if I have a AD user UserX, added to AD Group "TestADGroup" Now, in sharepoint I have this AD group to "TestSPGroup"
the following will return true.. if UserX is logged in web.IsCurrentUserMemberOfGroup(web.Groups["TestSPGroup"].ID);
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spweb.iscurrentusermemberofgroup.aspx
You could go against AD, itself, directly, get the member's groups, and if one of the groups they are a member of has permission to the object, you grant permission (i.e. show the object, etc.).
Try: http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#39
public ArrayList Groups(string userDn, bool recursive)
{
ArrayList groupMemberships = new ArrayList();
return AttributeValuesMultiString("memberOf", userDn,
groupMemberships, recursive);
}
public string AttributeValuesSingleString
(string attributeName, string objectDn)
{
string strValue;
DirectoryEntry ent = new DirectoryEntry(objectDn);
strValue = ent.Properties[attributeName].Value.ToString();
ent.Close();
ent.Dispose();
return strValue;
}
public string GetObjectDistinguishedName(objectClass objectCls,
returnType returnValue, string objectName, string LdapDomain)
{
string distinguishedName = string.Empty;
string connectionPrefix = "LDAP://" + LdapDomain;
DirectoryEntry entry = new DirectoryEntry(connectionPrefix);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
switch (objectCls)
{
case objectClass.user:
mySearcher.Filter = "(&(objectClass=user)
(|(cn=" + objectName + ")(sAMAccountName=" + objectName + ")))";
break;
case objectClass.group:
mySearcher.Filter = "(&(objectClass=group)
(|(cn=" + objectName + ")(dn=" + objectName + ")))";
break;
case objectClass.computer:
mySearcher.Filter = "(&(objectClass=computer)
(|(cn=" + objectName + ")(dn=" + objectName + ")))";
break;
}
SearchResult result = mySearcher.FindOne();
if (result == null)
{
throw new NullReferenceException
("unable to locate the distinguishedName for the object " +
objectName + " in the " + LdapDomain + " domain");
}
DirectoryEntry directoryObject = result.GetDirectoryEntry();
if (returnValue.Equals(returnType.distinguishedName))
{
distinguishedName = "LDAP://" + directoryObject.Properties
["distinguishedName"].Value;
}
if (returnValue.Equals(returnType.ObjectGUID))
{
distinguishedName = directoryObject.Guid.ToString();
}
entry.Close();
entry.Dispose();
mySearcher.Dispose();
return distinguishedName;
}
