How to check if a user belongs to an AD group?

Question

At first I thought the code below works because if I have the group as "IT" it functions correctly because my username is in the IT group in active directory. What I learned is it always returns true whether I have my username in the IT group or not and if i change it to any other group I am in it returns always returns false. Any help would be appreciated.

    private void tabControl1_SelectedIndexChanged(object sender, EventArgs e)     {         // tab control security for admin tab         bool admin = checkGroup("IT");          if ((admin == true) && (tabControl1.SelectedTab == tpHistory))         {             tabControl1.SelectedTab = tpHistory;         }         else if ((admin == false) && (tabControl1.SelectedTab == tpHistory))         {             tabControl1.SelectedTab = tpRequests;             MessageBox.Show("Unable to load tab. You have insufficient privileges.",                 "Access Denied", MessageBoxButtons.OK, MessageBoxIcon.Stop);         }     }      // check active directory to see if user is in Marketing department group     private static bool checkGroup(string group)     {         WindowsIdentity identity = WindowsIdentity.GetCurrent();         WindowsPrincipal principal = new WindowsPrincipal(identity);         return principal.IsInRole(group);     } 

Answer 1

Since you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

• Managing Directory Security Principals in the .NET Framework 3.5
• MSDN docs on System.DirectoryServices.AccountManagement

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "DOMAINNAME");  // find a user UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");  // find the group in question GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");  if(user != null) {    // check if user is member of that group    if (user.IsMemberOf(group))    {      // do something.....    }  } 

The new S.DS.AM makes it really easy to play around with users and groups in AD!

Answer 2

Slight deviation from @marc_s example, implemented in the static void Main() method in Program:

DomainCtx = new PrincipalContext( ContextType.Domain , Environment.UserDomainName ); if ( DomainCtx != null ) {     User = UserPrincipal.FindByIdentity( DomainCtx , Environment.UserName ); } 

DomainCtx and User are both static properties declared under Program

Then in other forms i simply do something like this:

if ( Program.User.IsMemberOf(GroupPrincipal.FindByIdentity(Program.DomainCtx, "IT-All") )) {     //Enable certain Form Buttons and objects for IT Users  }