I’m using UserPrincipal.FindByIdentity(ctx, "SomeAdminAccountName").GetGroups() to authorize a user against a group in active directory. It works fine for simple groups, but not for nested groups. Let’s say that I got the following structure:
Administrators members:
SomeAdminAccountName
Users members
Administrators
SomeUserAccountName
The users group contains the administrator group (since all administrators should be able to do what users can). The problem is that the UserPrincipal.FindByIdentity(ctx, "SomeAdminAccountName").GetGroups() do not include the Users group.
If I use GroupPrincipal.FindByIdentity(ctx, groupName).Members I do see that the Administrator group is part of it, but the administrator account is not included.
My question is:
Do I need to do a recursive group check to find a user or is there another way that I haven’t found?
To check a user against a group I would try IsMemberOf.
You may also approach the problem from the other direction, finding the group and get all members using the GetMembers function with the recursive flag set. As most applications use a small number of groups you should be able to cache this for reuse, in my work 5 – 30 minutes is usually acceptable caching time.