viv_acious viv_acious - 4 years ago 90
ASP.NET (C#) Question

How to set up access for users in Active Directory group

I have a web application using Windows Authentication in C# and currently I assign users to roles individually.

e.g. At each page of the application, I check

if(Roles.IsUserInRole(AU\UserName, "PageAccessRole"))

As I need to roll out the application to the whole team this week (and eventually the whole company), I need to user AD groups as there are over 3000 ppl so I am not about to do it manually!

As a newbie to ASP.NET (and programming in general) and I really don't know much about setting up AD groups (e.g. how do I get access to the AD groups from my application etc?)

I would be soooo grateful if anyone can point me in the right direction...I've been reading up all about LDAP and System.DirectoryServices.AccountManagement etc but I am just getting all the more confused.

So far, I have this in my web.config

<authentication mode="Windows">
<allow roles="AU\Active Directory Group Name"/>
<deny users="?"/>

<roleManager enabled="true" >
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />

And I've enabled Windows Authentication and disabled Anonymous in the IIS Server.

Please please help!!

Answer Source


This is how you can Fetch Groups from an OU in AD

DataTable dt = new DataTable();
DirectoryEntry rootDSE = null;

Suppose I want to fetch records from my Department OU. Now the Path would be like that


and dc here is Domain Controller name, In my case it was Corp.Local
In this way you can fetch groups from your AD

if (department != "")
   rootDSE = new DirectoryEntry(
     "LDAP://OU=" + department + ",OU=Users,dc=corp,dc=local", username, password);
   rootDSE = new DirectoryEntry(
      "LDAP://OU=Users,OU=" + ou + ",dc=corp,dc=local", username, password);
DirectorySearcher ouSearch = new DirectorySearcher(rootDSE);
ouSearch.PageSize = 1001;
ouSearch.Filter = "(objectClass=group)";
ouSearch.SearchScope = SearchScope.Subtree;
SearchResultCollection allOUS = ouSearch.FindAll();
foreach (SearchResult oneResult in allOUS)
return dt;

Now how to add Users to the groups.

It is an example for a single user, you can do this in similar way by Looping the Users.

 PrincipalContext pr = new PrincipalContext(ContextType.Domain,
     "corp.local", "dc=corp,dc=local", username, password);
GroupPrincipal group = GroupPrincipal.FindByIdentity(pr, groupName);//Looking for the Group in AD Server

if (group == null)
     //Throw Exception

UserPrincipal user = UserPrincipal.FindByIdentity(pr, userName);//Looking  for the User in AD Server

if (user.IsMemberOf(group))//If Group is already added to the user
       //I have Put it into If else condition because in case you want to Remove Groups from that User you can write your Logic here.

     //Do Nothing, Because the group is already added to the user
 else// Group not found in the Current user,Add it
      if (user != null & group != null)
         done = user.IsMemberOf(group);//You can confirm it from here
     return done;
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download