Validate user permissions
-
View a printable version of this message! I'm working on building a web-based solution (c# + .net) to allow users to manage AD groups that they have appropriate rights to manage. On all groups in Active Directory, there is an advanced permission called "Write Members". If the user (who logged in via a forms based login page) is granted that permission on the group (either directly or by being a member of a group that has been granted the necessary permission), they should be able to update the group membership. The web app has its own user account with enough permissions to update the group, but I don't know the best way of having it determine if it should use it's powers to update the membership for the user. My question: What is the best way to handle this, and is there a way for me to just pass the user DN (or SID, SAMAccountName, etc), and have AD determine if it that user is allowed to access that object. I've found code that should be able to get the user's security token, and parse the SIDs it contains. I'm assuming I could then take that list of SIDs, and compare it to the list of users/groups that have Write Members set to allow on the group in question. This seems ugly/wrong. There are too many cases where this falls short (i.e. the user is a member of a group that doesn't have the Write Members permission, but it does have the Write All Properties permission. It also doesn't effectively check for deny entries.) It feels like there should be a way for me to simply [programatically] ask AD if user X has access to update the "member" attribute on a given group. I am a Systems Engineer and not (yet) a programmer, so a little more verbose answer is very much appreciated. Thanks!
-
View a printable version of this message! I'm working on building a web-based solution (c# + .net) to allow users to manage AD groups that they have appropriate rights to manage. On all groups in Active Directory, there is an advanced permission called "Write Members". If the user (who logged in via a forms based login page) is granted that permission on the group (either directly or by being a member of a group that has been granted the necessary permission), they should be able to update the group membership. The web app has its own user account with enough permissions to update the group, but I don't know the best way of having it determine if it should use it's powers to update the membership for the user. My question: What is the best way to handle this, and is there a way for me to just pass the user DN (or SID, SAMAccountName, etc), and have AD determine if it that user is allowed to access that object. I've found code that should be able to get the user's security token, and parse the SIDs it contains. I'm assuming I could then take that list of SIDs, and compare it to the list of users/groups that have Write Members set to allow on the group in question. This seems ugly/wrong. There are too many cases where this falls short (i.e. the user is a member of a group that doesn't have the Write Members permission, but it does have the Write All Properties permission. It also doesn't effectively check for deny entries.) It feels like there should be a way for me to simply [programatically] ask AD if user X has access to update the "member" attribute on a given group. I am a Systems Engineer and not (yet) a programmer, so a little more verbose answer is very much appreciated. Thanks!
perhaps using LDAP ? My program can allow AD users to change their password by their own. I'm not sure does this works in your case. You can try.