Determine Global Group vs User in Local?

[localhost]

This code enumerates all local group members
(Win2K web server member server in a
Win2K domain). But if a member
is a global group, I need to
know it. Currently I can't tell
if the entry in the local
group is a user or a global.

How to tell the difference?

Thanks.

string localGroupName = "":
string bV = "";
string locPath = "WinNT://" +
System.Environment.GetEnvironmentVariable
( "COMPUTERNAME" );
DirectoryEntry localGroup;
try
{
localGroup = new DirectoryEntry( locPath + "/" +
localGroupName + ",group" );
object allMembers = localGroup.Invoke( "Members" );
foreach ( object groupMember in (IEnumerable)
allMembers )
{
DirectoryEntry memberEntry = new DirectoryEntry(
groupMember );
bV += memberEntry.Path.ToLower().Replace( "/",@"\" )
+ ":";
}
}
catch( System.Runtime.InteropServices.COMException
xxxCom )
{
bV = xxxCom.ToString();
}
return bV;

[MSFT]

You may query the whole domain with LDAP to see if there is a group with
such a name. For example:

DirectoryEntry oGrp = new
DirectoryEntry("LDAP://CN=MyGroup,CN=Users,DC=Fabrikam,DC=com");

Hope this help,

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

[localhost]

That is not a workable option for me.

The web server in question has a local group with 6
domain users, 3 global groups from one account domain,
and 2 global groups from another account domain. I
cannot reasonably make 11 LDAP queries to one account
domain to see if every entry is a group and then then
same 11 queries to another domain.

If I look at local group membership in the Computer
Management MMC, the GUI displays whether an entry is a
user or a global group. I need to do the same thing, but
with C# code.

How can I tell if an entry in a local group on a web
server (member server) is a global group or a user
account?

Thanks.

>-----Original Message-----
>You may query the whole domain with LDAP to see if there

is a group with

>such a name. For example:
>
>DirectoryEntry oGrp = new
>DirectoryEntry

("LDAP://CN=MyGroup,CN=Users,DC=Fabrikam,DC=com");

>
>Hope this help,
>
>Luke
>Microsoft Online Support
>
>Get Secure! [url]www.microsoft.com/security[/url]
>(This posting is provided "AS IS", with no warranties,

and confers no

>rights.)
>
>.
>

[MSFT]

You may use the Groups of IADsUser. For example:

string strUserADsPath =
"LDAP://fabrikam/cn=luke,cn=users,dc=fabrikam,dc=com";
DirectoryEntry oUser;
oUser = new DirectoryEntry(strUserADsPath);
// Invoke IADsUser::Groups method.
object groups = oUser.Invoke("Groups");
foreach ( object group in (IEnumerable)groups)
{
// Get the Directory Entry.
DirectoryEntry groupEntry = new DirectoryEntry(group);
listBox1.Items.Add(groupEntry.Name);
}

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

[localhost]

That does not appear to work. I am attempting to
enumerate entities in a local group on a web server that
is a member server, I am not querying a domain at all.

My understanding is that the LDAP:// space is useful for
querying a (remote) domain, but when querying a local non-
Domain Controller server, the WinNT:// space must be used.

I want to know which entities in a given local group are
users, and which are global groups. That's it. I don't
want to query any domains outside of the local machine.

If you look in the "Users" localgroup on a web server
that is a member of a domain, you will see that by
default the "ASPNET" user is in there, and
the "domain\domain users" group is there also. I want to
programmatically tell which entry is a user and which is
a group.

Thanks.

>-----Original Message-----
>You may use the Groups of IADsUser. For example:
>

[snip]

[localhost]

This code shows each entry in the local group, but does
not differentiate between domain users and domain
groups. I need to know which is which. I am sure my
code is close, I just need a little help getting all the
way complete.

string localGroupName = "users";
string locPath = "WinNT://" +
System.Environment.GetEnvironmentVariable
( "COMPUTERNAME" ) +
"/" +
localGroupName
+ ",group" ;
object allMembers = localGroup.Invoke( "Members" );
foreach ( object groupMember in (IEnumerable)
allMembers )
{
DirectoryEntry memberEntry = new DirectoryEntry(
groupMember );
returnVal += memberEntry.Path.ToLower().Replace
( "/",@"\" ) + ":\n\n";
}
Console.WriteLine( returnVal );


Thanks.

[localhost]

This appears to work, but I do not think it is the best
or fastest way to check local group entity types. Is
there a better way to make this happen?

using System;
using System.Collections;
using System.Runtime.InteropServices;
using System.DirectoryServices;
using ActiveDs;
using System.Text;
using System.Configuration;

class LocalGroupEnum
{

[STAThread]
static void Main(string[] args)
{
//string localGroupName = args[0].ToString().Trim();
string localGroupName = "users";
string locPath = "WinNT://" +
System.Environment.GetEnvironmentVariable
( "COMPUTERNAME" ) +
"/" +
localGroupName
+ ",group" ;
DirectoryEntry localGroup = new DirectoryEntry( locPath );
object allMembers = localGroup.Invoke( "Members" );
foreach ( object groupMember in (IEnumerable)
allMembers )
{
DirectoryEntry memberEntry = new DirectoryEntry(
groupMember );
Console.Write( memberEntry.Path.ToLower().Replace
("winnt://","").Replace("/",@"\") );
if ( memberEntry.Properties.Contains("grouptype") )
{
Console.WriteLine( "***" );
}
Console.WriteLine( "\n\n" );
}
Console.Read();
}
}


Thanks.

[MSFT]

I think you are just on the right way. The groupType property is the best
way we can check if a group is a local or global group. It is a
single-value property that is an integer that specifies the group type and
scope using the following bit flags:

ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP
ADS_GROUP_TYPE_GLOBAL_GROUP
ADS_GROUP_TYPE_UNIVERSAL_GROUP
ADS_GROUP_TYPE_SECURITY_ENABLED

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

[localhost]

Thanks. Can you post a complete code example "solve
HOWTO", using the constants you just provided?

Thanks again.

[MSFT]

Hope this help:


string locPath = "WinNT://MyComputer/administrators,group" ;
DirectoryEntry localGroup = new DirectoryEntry( locPath );
object allMembers = localGroup.Invoke( "Members" );
foreach ( object groupMember in (IEnumerable)allMembers )
{

DirectoryEntry oUser= new DirectoryEntry (groupMember);

try
{
object groups = oUser.Invoke("Groups");
foreach ( object group in (IEnumerable)groups)
{
// Get the Directory Entry.
DirectoryEntry groupEntry = new DirectoryEntry(group);

string gType=groupEntry.Properties["groupType"].Value.ToString();
if (gType=="2" )
Console.WriteLine(groupEntry.Name );

//Console.WriteLine(groupT.ToString() );
}
}
catch (Exception e)
{


}








}
Console.Read();




Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)