Menu
How can I determine if a user, in say Access, is a member of an Active Directory Security Group?
I'd rather not build a whole authentication system into my little Access DB.
Thanks
574
Identity and Membership Yet, the self also includes all those qualities that spring from memberships in groups. People are defined not only by their traits, preferences, interests, likes, and dislikes, but also by their friendships, social roles, family connections, and group memberships.
You can check group membership with the Active Directory Users and Computers (ADUC) console snap-in by finding the user or group of interest and drilling down into the object's properties and clicking the “Members” or “Member Of” tab.
You can check active directory group membership using the command line net user or dsget or using the Get-AdGroupMember PowerShell cmdlet to check ad group membership. Active Directory groups are a great way to manage and grant access permissions to users like access to specific servers, and computers.
Domains are a way to group computers in a network so that they can share resources and information. You can use the command line to check domain group membership. To do this, open the Command Prompt and type "net group" followed by the name of the group you want to check. This will list all the members of that group.
Allain found this online
Function IsMember(strDomain As String, strGroup _
As String, strMember As String) As Boolean
Dim grp As Object
Dim strPath As String
strPath = "WinNT://" & strDomain & "/"
Set grp = GetObject(strPath & strGroup & ",group")
IsMember = grp.IsMember(strPath & strMember)
End Function
You can get the Windows account info by way of the USERDOMAIN and USERNAME environment vars:
Function GetCurrentUser() As String
GetCurrentUser = Environ("USERNAME")
End Function
Function GetCurrentDomain() As String
GetCurrentDomain = Environ("USERDOMAIN")
End Function
Putting it all together:
If IsMember(GetCurrentDomain, "AD Group", GetCurrentUser) Then
DoStuff()
End If
I'm late to the game with this, but the code you need is below. It gets user names and domain names for you.
Note that I'm not using objGroup.Ismember - that's actually the correct method to use - I'm enumerating the list of groups that the user is in, because it's much easier to debug and there's no appreciable performance penalty.
...And I lifted the code from an earlier project, in which I needed to check membership of a 'Read Reports' group, an 'Edit Data' Group, and an 'Edit System Data' group, so that I could choose which controls to enable and which forms to open read-only. Enumerating groups once was faster than three separate checks.
Public Function UserIsInGroup(GroupName As String, _
Optional Username As String, _
Optional Domain As String) As Boolean
'On Error Resume Next
' Returns TRUE if the user is in the named NT Group.
' If user name is omitted, current logged-in user's login name is assumed.
' If domain is omitted, current logged-in user's domain is assumed.
' User name can be submitted in the form 'myDomain/MyName'
' (this will run slightly faster)
' Does not raise errors for unknown user.
'
' Sample Usage: UserIsInGroup( "Domain Users")
Dim strUsername As String
Dim objGroup As Object
Dim objUser As Object
Dim objNetwork As Object
UserIsInGroup = False
If Username = "" Then
Set objNetwork = CreateObject("WScript.Network")
strUsername = objNetwork.UserDomain & "/" & objNetwork.Username
Else
strUsername = Username
End If
strUsername = Replace(strUsername, "\", "/")
If InStr(strUsername, "/") Then
' No action: Domain has already been supplied in the user name
Else
If Domain = "" Then
Set objNetwork = CreateObject("WScript.Network")
Domain = objNetwork.UserDomain
End If
strUsername = Domain & "/" & strUsername
End If
Set objUser = GetObject("WinNT://" & strUsername & ",user")
If objUser Is Nothing Then
' Insert error-handler here if you want to report an unknown user name
Else
For Each objGroup In objUser.Groups
'Debug.Print objGroup.Name
If GroupName = objGroup.Name Then
UserIsInGroup = True
Exit For
End If
Next objGroup
End If
Set objNetwork = Nothing
Set objGroup = Nothing
Set objUser = Nothing
End Function
Hopefully this late submission is of use to other developers: when I looked this up for the first time, back in 2003, it was like nobody had ever used AD groups in Excel or MS-Access.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
