Active directory groups refresh question

Printable View

18-03-2008
Mark Clark

Active directory groups refresh question

This is not a programming question, per se, but I am writing a program
in VB.NET 2005 that checks the current user's group membership in Active
Directory. When I either add or remove a person from a group in AD, that
group change does not show up on the local machine until I log out and
log back in. Is there a way to force the group membership of the current
user to be updated from AD so that the membership is always current? In
case it makes a difference, I am using this line to get the membership:

System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
(GetType(System.Security.Principal.NTAccount))

Thanks.
18-03-2008
Joseph T Corey

Re: Active directory groups refresh question

There is a difference between querying your local token (which is what
you're doing below) and querying Active Directory for the list of current
groups. When a user logs in, an access token is created that has the users
SID and all SIDs of the groups that the user is a member of. This token is
only created during login so that's why you're seeing this behavior. To
obtain the most current list of groups that a user is a member of, you would
need to query Active Directory for the MemberOf list. I'm not a VB.NET guy,
so sorry for not posting any code.

--
Joseph T. Corey MCSE, Security+
Systems Administrator
jcorey@cmu.edu

"Mark Clark" <M-Clark-nospam@wiu.nospamedu> wrote in message
news:MPG.22497eb8ff5fc58698969c@msnews.microsoft.com...
> This is not a programming question, per se, but I am writing a program
> in VB.NET 2005 that checks the current user's group membership in Active
> Directory. When I either add or remove a person from a group in AD, that
> group change does not show up on the local machine until I log out and
> log back in. Is there a way to force the group membership of the current
> user to be updated from AD so that the membership is always current? In
> case it makes a difference, I am using this line to get the membership:
>
> System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
> (GetType(System.Security.Principal.NTAccount))
>
> Thanks.
18-03-2008
Andrew Lomakin

Re: Active directory groups refresh question

Mark,

Group membership is a part of authentication token, and you won't get an
updated group list until you re-logon.

If you have AD, you can use LDAPMembershipProvider to verify group
membership:
http://msdn2.microsoft.com/en-us/lib...pprovider.aspx

Regards,

Andrew

"Mark Clark" <M-Clark-nospam@wiu.nospamedu> wrote in message
news:MPG.22497eb8ff5fc58698969c@msnews.microsoft.com...
> This is not a programming question, per se, but I am writing a program
> in VB.NET 2005 that checks the current user's group membership in Active
> Directory. When I either add or remove a person from a group in AD, that
> group change does not show up on the local machine until I log out and
> log back in. Is there a way to force the group membership of the current
> user to be updated from AD so that the membership is always current? In
> case it makes a difference, I am using this line to get the membership:
>
> System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
> (GetType(System.Security.Principal.NTAccount))
>
> Thanks.
18-03-2008
DaveMo

Re: Active directory groups refresh question

On Mar 18, 6:25 am, Mark Clark <M-Clark-nos...@wiu.nospamedu> wrote:
> This is not a programming question, per se, but I am writing a program
> in VB.NET 2005 that checks the current user's group membership in Active
> Directory. When I either add or remove a person from a group in AD, that
> group change does not show up on the local machine until I log out and
> log back in. Is there a way to force the group membership of the current
> user to be updated from AD so that the membership is always current? In
> case it makes a difference, I am using this line to get the membership:
>
> System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
> (GetType(System.Security.Principal.NTAccount))
>
> Thanks.

Hello Mark,

Two assumptions:

1) Your app is a fat client app running in the current logged-on
user's context
2) Outdated group membership is really worth worrying about.

The last one takes a bit of thought, because you should decide whether
there is a valid scenario around your application where group
membership is going to be changing frequently enough to cause problems
for users. Most of the time, this is really not the case.

But if this really is a problem, there are a couple of approaches. One
approach is to p-invoke some authentication package low-level APIs
that cause the user's kerb TGT to be discarded and re-fetched. A new
TGT will include the new group memberships and the user's context
should be brought up to date. I wish I could point you to a sample to
do this, but it seems that all of the interesting samples off of the
Platfrom SDK have been yanked. If you want to contact me off-line I
can try to find my copies.

The second approach is to use Kerberos S4U to get a new service ticket
(not TGT) for yourself. The implementation of S4U is such that the
group membership should be up to date. If you google around for S4U
you should be able to find some VB.NET code to make it happen.

Of course you can always just have the user logoff and logon again :)

HTH,
Dave
18-03-2008
Mark Clark

Re: Active directory groups refresh question

In article <6ea240e3-7b5c-48c4-bfde-
027373a54d6b@e10g2000prf.googlegroups.com>, david.mowers@gmail.com
says...
> On Mar 18, 6:25 am, Mark Clark <M-Clark-nos...@wiu.nospamedu> wrote:
> > This is not a programming question, per se, but I am writing a program
> > in VB.NET 2005 that checks the current user's group membership in Active
> > Directory. When I either add or remove a person from a group in AD, that
> > group change does not show up on the local machine until I log out and
> > log back in. Is there a way to force the group membership of the current
> > user to be updated from AD so that the membership is always current? In
> > case it makes a difference, I am using this line to get the membership:
> >
> > System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
> > (GetType(System.Security.Principal.NTAccount))
> >
> > Thanks.
>
> Hello Mark,
>
> Two assumptions:
>
> 1) Your app is a fat client app running in the current logged-on
> user's context
> 2) Outdated group membership is really worth worrying about.
>
> The last one takes a bit of thought, because you should decide whether
> there is a valid scenario around your application where group
> membership is going to be changing frequently enough to cause problems
> for users. Most of the time, this is really not the case.
>
> But if this really is a problem, there are a couple of approaches. One
> approach is to p-invoke some authentication package low-level APIs
> that cause the user's kerb TGT to be discarded and re-fetched. A new
> TGT will include the new group memberships and the user's context
> should be brought up to date. I wish I could point you to a sample to
> do this, but it seems that all of the interesting samples off of the
> Platfrom SDK have been yanked. If you want to contact me off-line I
> can try to find my copies.
>
> The second approach is to use Kerberos S4U to get a new service ticket
> (not TGT) for yourself. The implementation of S4U is such that the
> group membership should be up to date. If you google around for S4U
> you should be able to find some VB.NET code to make it happen.
>
> Of course you can always just have the user logoff and logon again :)
>
> HTH,
> Dave
>

Yes, it is a fat client app, and group membership is critical because it
controls access to functions in the app. I found some code on the
internet that uses TokenGroups, and it works very well. It reads the
tokens from AD directly and translates them into group names. It handles
nested groups (which I needed), and it does update the group listing -
as soon as I took a user out of a nested group that nested group no
longer showed up for the user. That is pretty slick!

Thanks for your help!
18-03-2008
Mark Clark

Re: Active directory groups refresh question

Thanks for your reply. I took your post and started looking for 'token'
on Google in relation to groups and AD and I found TokenGroups. I found
some code that I could modify and now everything is working fine. The
code looks at the AD TokenGroups and converts them to real names. It
handles nested groups and it is updated instantly - as soon as I took a
user out of a nested group the group membership list reflected that.
That's exactly what I needed!

Thanks again!

In article <D0E6936B-5138-49C1-B0FA-BF563FBF97AA@microsoft.com>,
jcorey@andrew.cmu.edu says...
> There is a difference between querying your local token (which is what
> you're doing below) and querying Active Directory for the list of current
> groups. When a user logs in, an access token is created that has the users
> SID and all SIDs of the groups that the user is a member of. This token is
> only created during login so that's why you're seeing this behavior. To
> obtain the most current list of groups that a user is a member of, you would
> need to query Active Directory for the MemberOf list. I'm not a VB.NET guy,
> so sorry for not posting any code.
>
>
18-03-2008
Mark Clark

Re: Active directory groups refresh question

Thanks for your suggestion. I looked at the link, and it seemed that I
would have to use an Office .NET function. I'm not sure I would have
Office on every machine, so I wasn't sure that would work. I found out
about TokenGroups, though, which solved my problem.

Thanks again for your help!

In article <09A7125B-C79F-4C1C-A4A5-47503F0BAC0B@microsoft.com>,
lomakin@one.no-spam.lv.remove.no-spam says...
> Mark,
>
> Group membership is a part of authentication token, and you won't get an
> updated group list until you re-logon.
>
> If you have AD, you can use LDAPMembershipProvider to verify group
> membership:
> http://msdn2.microsoft.com/en-us/lib...pprovider.aspx
>
> Regards,
>
> Andrew
>
>
>
> "Mark Clark" <M-Clark-nospam@wiu.nospamedu> wrote in message
> news:MPG.22497eb8ff5fc58698969c@msnews.microsoft.com...
> > This is not a programming question, per se, but I am writing a program
> > in VB.NET 2005 that checks the current user's group membership in Active
> > Directory. When I either add or remove a person from a group in AD, that
> > group change does not show up on the local machine until I log out and
> > log back in. Is there a way to force the group membership of the current
> > user to be updated from AD so that the membership is always current? In
> > case it makes a difference, I am using this line to get the membership:
> >
> > System.Security.Principal.WindowsIdentity.GetCurrent.Groups.Translate
> > (GetType(System.Security.Principal.NTAccount))
> >
> > Thanks.
>
>
19-03-2008
Richard Mueller [MVP]

Re: Active directory groups refresh question

It sounds like you modified the tokenGroups attribute directly, by removing
the SID value for the group in question. I had no idea this would refresh
the token the user gets when they authenticate. I'm going to have to try
that myself.

I assume you enumerated all SID values in the multi-valued tokenGroups
attribute, perhaps bound to the corresponding object, retrieved a name
attribute, and then if the name matched the group you wanted to remove, you
deleted the value from the collection. Or, you could first retrieve the
objectSid value of the group and compared that with the values in
tokenGroups. This would save having to bind to all of the group objects.

The other issue is that I was not aware that you could modify tokenGroups.

Finally, are you sure the user is no longer a member of the group? If you
look at the member attribute of the group object, is the DN of the user no
longer there? Even if the token no longer includes the group SID, this does
not mean the backlinked attribute (the member attribute of the group object)
has been updated. If it happens, the system must be doing it. I guess I have
to ask, how do you know the user is no longer a member of the group? Is the
membership the same if the user logs off and logs on again?

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Mark Clark" <M-Clark-nospam@wiu.nospamedu> wrote in message
news:MPG.2249c4d1888b77b998969e@msnews.microsoft.com...
> Thanks for your reply. I took your post and started looking for 'token'
> on Google in relation to groups and AD and I found TokenGroups. I found
> some code that I could modify and now everything is working fine. The
> code looks at the AD TokenGroups and converts them to real names. It
> handles nested groups and it is updated instantly - as soon as I took a
> user out of a nested group the group membership list reflected that.
> That's exactly what I needed!
>
> Thanks again!
>
> In article <D0E6936B-5138-49C1-B0FA-BF563FBF97AA@microsoft.com>,
> jcorey@andrew.cmu.edu says...
>> There is a difference between querying your local token (which is what
>> you're doing below) and querying Active Directory for the list of current
>> groups. When a user logs in, an access token is created that has the
>> users
>> SID and all SIDs of the groups that the user is a member of. This token
>> is
>> only created during login so that's why you're seeing this behavior. To
>> obtain the most current list of groups that a user is a member of, you
>> would
>> need to query Active Directory for the MemberOf list. I'm not a VB.NET
>> guy,
>> so sorry for not posting any code.
>>
>>
19-03-2008
Mark Clark

Re: Active directory groups refresh question

Oh, no, I am not modifying groups via code, only reading them. I am
using the "Active Directory Users & Groups" app to add/remove groups. I
am just reading the groups a user belongs to in my program. I needed to
be able to instantly have access to the most up-to-date group list for a
user when an admin would add or remove a group via the GUI. I used
TokenGroups for that, and it works like a charm.

In article <erFYZ5ViIHA.944@TK2MSFTNGP05.phx.gbl>, rlmueller-
nospam@ameritech.nospam.net says...
> It sounds like you modified the tokenGroups attribute directly, by removing
> the SID value for the group in question. I had no idea this would refresh
> the token the user gets when they authenticate. I'm going to have to try
> that myself.
>
> I assume you enumerated all SID values in the multi-valued tokenGroups
> attribute, perhaps bound to the corresponding object, retrieved a name
> attribute, and then if the name matched the group you wanted to remove, you
> deleted the value from the collection. Or, you could first retrieve the
> objectSid value of the group and compared that with the values in
> tokenGroups. This would save having to bind to all of the group objects.
>
> The other issue is that I was not aware that you could modify tokenGroups.
>
> Finally, are you sure the user is no longer a member of the group? If you
> look at the member attribute of the group object, is the DN of the user no
> longer there? Even if the token no longer includes the group SID, this does
> not mean the backlinked attribute (the member attribute of the group object)
> has been updated. If it happens, the system must be doing it. I guess I have
> to ask, how do you know the user is no longer a member of the group? Is the
> membership the same if the user logs off and logs on again?
>
>