How can I query if a user of one domain is a member of a group in another AD domain?

Question

I have a series of applications that all use the same C#, .Net 2.0 code that I've created to check and see if a user is a member of an Active Directory group.

I haven't had any trouble with my code until recently, when I added a user from another, trusted AD domain to one of my AD groups. My question is how can I check to see if a user is a member of an Active Directory group, regardless of their domain. In other words, they may or may not be in the same domain as my group. Below is the code that I have written and used for years to search to see if the user is in an Active Directory group. I'm not sure where I adapted this code from but I'd assume it came from an MSDN article. Also, the solution must be for the .Net 2.0 framework. I have found quite a few answers that may work for this problem in .Net 3.5. Unfortunately, that won't work for my scenario.

//This method takes a user name and the name of an AD Group (role).  
//Current implementations of this method do not contain the user's domain 
//with userName, because it comes from the Environment.UserName property.
private static bool IsInRole(string userName, string role)
{
    try
    {
        role = role.ToLowerInvariant();
        DirectorySearcher ds = new DirectorySearcher(new DirectoryEntry(null));
        ds.Filter = "samaccountname=" + userName;
        SearchResult sr = ds.FindOne();
        DirectoryEntry de = sr.GetDirectoryEntry();
        PropertyValueCollection dir = de.Properties["memberOf"];
        for (int i = 0; i < dir.Count; ++i)
        {
            string s = dir[i].ToString().Substring(3);
            s = s.Substring(0, s.IndexOf(',')).ToLowerInvariant();
            if (s == role)
                return true;
        }
        throw new Exception();
    }
    catch
    {
        return false;
    }
}

Answer 1

This is not the answer you are waiting for, but I hope it can help.

First ; You suppose you code is working in a domain, but I don't see where it takes care of the user 'principal group'. If you select a group as the 'user principal group', this group is no longer part of the member attribute.

Second ; In my understanding, a way (I hope not the only one, but I'am still looking for) to see, if a user, is present in a group is to 'recusively' look for the user DN in the 'member' attribute of 'group' objects. So, in your case, you may ask your domain and the other domain. You can do that doing ONE search per domain. Here is a sample of such a 'recursive one shoot search' using control :

/* Connection to Active Directory
 */
string sFromWhere = "LDAP://WIN-COMPUTER:389/";
DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom\\user", "password");

/* To find all the groups that "user1" is a member of :
 * Set the base to the groups container DN; for example root DN (dc=dom,dc=fr) 
 * Set the scope to subtree
 * Use the following filter :
 * (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)
 */
DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
dsLookFor.Filter = "(member:1.2.840.113556.1.4.1941:=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)";
dsLookFor.SearchScope = SearchScope.Subtree;
dsLookFor.PropertiesToLoad.Add("cn");

SearchResultCollection srcGroups = dsLookFor.FindAll();

Remark : you can use a more accurate filter to exclude distribution groups for example.

---

Edited (to answer comments questions) :

First : Are the credentials needed ? I would say no if the request is done from a computer that belongs to the domain or the approved domain.

Second and third : Yes filters are documented by Microsoft in AD Search Filter Syntax. The way I wrote this filter is a deduction from the samples.