Results 1 to 9 of 9

Thread: Active directory groups refresh question

  1. #1
    Mark Clark Guest

    Active directory groups refresh question

    This is not a programming question, per se, but I am writing a program
    in VB.NET 2005 that checks the current user's group membership in Active
    Directory. When I either add or remove a person from a group in AD, that
    group change does not show up on the local machine until I log out and
    log back in. Is there a way to force the group membership of the current
    user to be updated from AD so that the membership is always current? In
    case it makes a difference, I am using this line to get the membership:

    System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
    (GetType(System.Security.Principal.NTAccount))

    Thanks.

  2. #2
    Joseph T Corey Guest

    Re: Active directory groups refresh question

    There is a difference between querying your local token (which is what
    you're doing below) and querying Active Directory for the list of current
    groups. When a user logs in, an access token is created that has the users
    SID and all SIDs of the groups that the user is a member of. This token is
    only created during login so that's why you're seeing this behavior. To
    obtain the most current list of groups that a user is a member of, you would
    need to query Active Directory for the MemberOf list. I'm not a VB.NET guy,
    so sorry for not posting any code.

    --
    Joseph T. Corey MCSE, Security+
    Systems Administrator
    jcorey@cmu.edu


    "Mark Clark" <M-Clark-nospam@wiu.nospamedu> wrote in message
    news:MPG.22497eb8ff5fc58698969c@msnews.microsoft.com...
    > This is not a programming question, per se, but I am writing a program
    > in VB.NET 2005 that checks the current user's group membership in Active
    > Directory. When I either add or remove a person from a group in AD, that
    > group change does not show up on the local machine until I log out and
    > log back in. Is there a way to force the group membership of the current
    > user to be updated from AD so that the membership is always current? In
    > case it makes a difference, I am using this line to get the membership:
    >
    > System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
    > (GetType(System.Security.Principal.NTAccount))
    >
    > Thanks.



  3. #3
    Andrew Lomakin Guest

    Re: Active directory groups refresh question

    Mark,

    Group membership is a part of authentication token, and you won't get an
    updated group list until you re-logon.

    If you have AD, you can use LDAPMembershipProvider to verify group
    membership:
    http://msdn2.microsoft.com/en-us/lib...pprovider.aspx

    Regards,

    Andrew



    "Mark Clark" <M-Clark-nospam@wiu.nospamedu> wrote in message
    news:MPG.22497eb8ff5fc58698969c@msnews.microsoft.com...
    > This is not a programming question, per se, but I am writing a program
    > in VB.NET 2005 that checks the current user's group membership in Active
    > Directory. When I either add or remove a person from a group in AD, that
    > group change does not show up on the local machine until I log out and
    > log back in. Is there a way to force the group membership of the current
    > user to be updated from AD so that the membership is always current? In
    > case it makes a difference, I am using this line to get the membership:
    >
    > System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
    > (GetType(System.Security.Principal.NTAccount))
    >
    > Thanks.



  4. #4
    DaveMo Guest

    Re: Active directory groups refresh question

    On Mar 18, 6:25 am, Mark Clark <M-Clark-nos...@wiu.nospamedu> wrote:
    > This is not a programming question, per se, but I am writing a program
    > in VB.NET 2005 that checks the current user's group membership in Active
    > Directory. When I either add or remove a person from a group in AD, that
    > group change does not show up on the local machine until I log out and
    > log back in. Is there a way to force the group membership of the current
    > user to be updated from AD so that the membership is always current? In
    > case it makes a difference, I am using this line to get the membership:
    >
    > System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
    > (GetType(System.Security.Principal.NTAccount))
    >
    > Thanks.


    Hello Mark,

    Two assumptions:

    1) Your app is a fat client app running in the current logged-on
    user's context
    2) Outdated group membership is really worth worrying about.

    The last one takes a bit of thought, because you should decide whether
    there is a valid scenario around your application where group
    membership is going to be changing frequently enough to cause problems
    for users. Most of the time, this is really not the case.

    But if this really is a problem, there are a couple of approaches. One
    approach is to p-invoke some authentication package low-level APIs
    that cause the user's kerb TGT to be discarded and re-fetched. A new
    TGT will include the new group memberships and the user's context
    should be brought up to date. I wish I could point you to a sample to
    do this, but it seems that all of the interesting samples off of the
    Platfrom SDK have been yanked. If you want to contact me off-line I
    can try to find my copies.

    The second approach is to use Kerberos S4U to get a new service ticket
    (not TGT) for yourself. The implementation of S4U is such that the
    group membership should be up to date. If you google around for S4U
    you should be able to find some VB.NET code to make it happen.

    Of course you can always just have the user logoff and logon again :)

    HTH,
    Dave

  5. #5
    Mark Clark Guest

    Re: Active directory groups refresh question

    In article <6ea240e3-7b5c-48c4-bfde-
    027373a54d6b@e10g2000prf.googlegroups.com>, david.mowers@gmail.com
    says...
    > On Mar 18, 6:25 am, Mark Clark <M-Clark-nos...@wiu.nospamedu> wrote:
    > > This is not a programming question, per se, but I am writing a program
    > > in VB.NET 2005 that checks the current user's group membership in Active
    > > Directory. When I either add or remove a person from a group in AD, that
    > > group change does not show up on the local machine until I log out and
    > > log back in. Is there a way to force the group membership of the current
    > > user to be updated from AD so that the membership is always current? In
    > > case it makes a difference, I am using this line to get the membership:
    > >
    > > System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
    > > (GetType(System.Security.Principal.NTAccount))
    > >
    > > Thanks.

    >
    > Hello Mark,
    >
    > Two assumptions:
    >
    > 1) Your app is a fat client app running in the current logged-on
    > user's context
    > 2) Outdated group membership is really worth worrying about.
    >
    > The last one takes a bit of thought, because you should decide whether
    > there is a valid scenario around your application where group
    > membership is going to be changing frequently enough to cause problems
    > for users. Most of the time, this is really not the case.
    >
    > But if this really is a problem, there are a couple of approaches. One
    > approach is to p-invoke some authentication package low-level APIs
    > that cause the user's kerb TGT to be discarded and re-fetched. A new
    > TGT will include the new group memberships and the user's context
    > should be brought up to date. I wish I could point you to a sample to
    > do this, but it seems that all of the interesting samples off of the
    > Platfrom SDK have been yanked. If you want to contact me off-line I
    > can try to find my copies.
    >
    > The second approach is to use Kerberos S4U to get a new service ticket
    > (not TGT) for yourself. The implementation of S4U is such that the
    > group membership should be up to date. If you google around for S4U
    > you should be able to find some VB.NET code to make it happen.
    >
    > Of course you can always just have the user logoff and logon again :)
    >
    > HTH,
    > Dave
    >


    Yes, it is a fat client app, and group membership is critical because it
    controls access to functions in the app. I found some code on the
    internet that uses TokenGroups, and it works very well. It reads the
    tokens from AD directly and translates them into group names. It handles
    nested groups (which I needed), and it does update the group listing -
    as soon as I took a user out of a nested group that nested group no
    longer showed up for the user. That is pretty slick!

    Thanks for your help!

  6. #6
    Mark Clark Guest

    Re: Active directory groups refresh question

    Thanks for your reply. I took your post and started looking for 'token'
    on Google in relation to groups and AD and I found TokenGroups. I found
    some code that I could modify and now everything is working fine. The
    code looks at the AD TokenGroups and converts them to real names. It
    handles nested groups and it is updated instantly - as soon as I took a
    user out of a nested group the group membership list reflected that.
    That's exactly what I needed!

    Thanks again!

    In article <D0E6936B-5138-49C1-B0FA-BF563FBF97AA@microsoft.com>,
    jcorey@andrew.cmu.edu says...
    > There is a difference between querying your local token (which is what
    > you're doing below) and querying Active Directory for the list of current
    > groups. When a user logs in, an access token is created that has the users
    > SID and all SIDs of the groups that the user is a member of. This token is
    > only created during login so that's why you're seeing this behavior. To
    > obtain the most current list of groups that a user is a member of, you would
    > need to query Active Directory for the MemberOf list. I'm not a VB.NET guy,
    > so sorry for not posting any code.
    >
    >


  7. #7
    Mark Clark Guest

    Re: Active directory groups refresh question

    Thanks for your suggestion. I looked at the link, and it seemed that I
    would have to use an Office .NET function. I'm not sure I would have
    Office on every machine, so I wasn't sure that would work. I found out
    about TokenGroups, though, which solved my problem.

    Thanks again for your help!

    In article <09A7125B-C79F-4C1C-A4A5-47503F0BAC0B@microsoft.com>,
    lomakin@one.no-spam.lv.remove.no-spam says...
    > Mark,
    >
    > Group membership is a part of authentication token, and you won't get an
    > updated group list until you re-logon.
    >
    > If you have AD, you can use LDAPMembershipProvider to verify group
    > membership:
    > http://msdn2.microsoft.com/en-us/lib...pprovider.aspx
    >
    > Regards,
    >
    > Andrew
    >
    >
    >
    > "Mark Clark" <M-Clark-nospam@wiu.nospamedu> wrote in message
    > news:MPG.22497eb8ff5fc58698969c@msnews.microsoft.com...
    > > This is not a programming question, per se, but I am writing a program
    > > in VB.NET 2005 that checks the current user's group membership in Active
    > > Directory. When I either add or remove a person from a group in AD, that
    > > group change does not show up on the local machine until I log out and
    > > log back in. Is there a way to force the group membership of the current
    > > user to be updated from AD so that the membership is always current? In
    > > case it makes a difference, I am using this line to get the membership:
    > >
    > > System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
    > > (GetType(System.Security.Principal.NTAccount))
    > >
    > > Thanks.

    >
    >


  8. #8
    Richard Mueller [MVP] Guest

    Re: Active directory groups refresh question

    It sounds like you modified the tokenGroups attribute directly, by removing
    the SID value for the group in question. I had no idea this would refresh
    the token the user gets when they authenticate. I'm going to have to try
    that myself.

    I assume you enumerated all SID values in the multi-valued tokenGroups
    attribute, perhaps bound to the corresponding object, retrieved a name
    attribute, and then if the name matched the group you wanted to remove, you
    deleted the value from the collection. Or, you could first retrieve the
    objectSid value of the group and compared that with the values in
    tokenGroups. This would save having to bind to all of the group objects.

    The other issue is that I was not aware that you could modify tokenGroups.

    Finally, are you sure the user is no longer a member of the group? If you
    look at the member attribute of the group object, is the DN of the user no
    longer there? Even if the token no longer includes the group SID, this does
    not mean the backlinked attribute (the member attribute of the group object)
    has been updated. If it happens, the system must be doing it. I guess I have
    to ask, how do you know the user is no longer a member of the group? Is the
    membership the same if the user logs off and logs on again?

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --

    "Mark Clark" <M-Clark-nospam@wiu.nospamedu> wrote in message
    news:MPG.2249c4d1888b77b998969e@msnews.microsoft.com...
    > Thanks for your reply. I took your post and started looking for 'token'
    > on Google in relation to groups and AD and I found TokenGroups. I found
    > some code that I could modify and now everything is working fine. The
    > code looks at the AD TokenGroups and converts them to real names. It
    > handles nested groups and it is updated instantly - as soon as I took a
    > user out of a nested group the group membership list reflected that.
    > That's exactly what I needed!
    >
    > Thanks again!
    >
    > In article <D0E6936B-5138-49C1-B0FA-BF563FBF97AA@microsoft.com>,
    > jcorey@andrew.cmu.edu says...
    >> There is a difference between querying your local token (which is what
    >> you're doing below) and querying Active Directory for the list of current
    >> groups. When a user logs in, an access token is created that has the
    >> users
    >> SID and all SIDs of the groups that the user is a member of. This token
    >> is
    >> only created during login so that's why you're seeing this behavior. To
    >> obtain the most current list of groups that a user is a member of, you
    >> would
    >> need to query Active Directory for the MemberOf list. I'm not a VB.NET
    >> guy,
    >> so sorry for not posting any code.
    >>
    >>




  9. #9
    Mark Clark Guest

    Re: Active directory groups refresh question

    Oh, no, I am not modifying groups via code, only reading them. I am
    using the "Active Directory Users & Groups" app to add/remove groups. I
    am just reading the groups a user belongs to in my program. I needed to
    be able to instantly have access to the most up-to-date group list for a
    user when an admin would add or remove a group via the GUI. I used
    TokenGroups for that, and it works like a charm.

    In article <erFYZ5ViIHA.944@TK2MSFTNGP05.phx.gbl>, rlmueller-
    nospam@ameritech.nospam.net says...
    > It sounds like you modified the tokenGroups attribute directly, by removing
    > the SID value for the group in question. I had no idea this would refresh
    > the token the user gets when they authenticate. I'm going to have to try
    > that myself.
    >
    > I assume you enumerated all SID values in the multi-valued tokenGroups
    > attribute, perhaps bound to the corresponding object, retrieved a name
    > attribute, and then if the name matched the group you wanted to remove, you
    > deleted the value from the collection. Or, you could first retrieve the
    > objectSid value of the group and compared that with the values in
    > tokenGroups. This would save having to bind to all of the group objects.
    >
    > The other issue is that I was not aware that you could modify tokenGroups.
    >
    > Finally, are you sure the user is no longer a member of the group? If you
    > look at the member attribute of the group object, is the DN of the user no
    > longer there? Even if the token no longer includes the group SID, this does
    > not mean the backlinked attribute (the member attribute of the group object)
    > has been updated. If it happens, the system must be doing it. I guess I have
    > to ask, how do you know the user is no longer a member of the group? Is the
    > membership the same if the user logs off and logs on again?
    >
    >


Similar Threads

  1. Active directory backup / restore question
    By Bhuvan in forum Active Directory
    Replies: 1
    Last Post: 11-05-2011, 01:10 AM
  2. How to use ldp.exe in Active Directory
    By Aanand in forum Active Directory
    Replies: 3
    Last Post: 19-11-2010, 05:06 AM
  3. Replies: 5
    Last Post: 22-05-2010, 07:33 AM
  4. Active Directory to ADAM Sync Password question
    By chienine in forum Active Directory
    Replies: 2
    Last Post: 20-06-2008, 04:31 PM
  5. Replies: 1
    Last Post: 09-10-2007, 02:23 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,650,376.96083 seconds with 17 queries