Decrypt my World

Cryptography, Security, Debugging and more!

System.DirectoryServices.AccountManagement.UserPrincipal.IsMemberOf returns false negatives

System.DirectoryServices.AccountManagement.UserPrincipal.IsMemberOf returns false negatives

  • Comments 1

Hi all,

 

Sometime ago a customer of mine faced the following issue on his .NET Framework 3.5 app: System.DirectoryServices.AccountManagement.UserPrincipal.IsMemberOf returned false negatives when the group had more than 1500 members. This means that the function returned false when the user was actually in the group. But everything worked properly with VBScript and ADSI.

This turned out to be a limitation on .NET 3.5, which doesn't implement range retrieval for big AD groups (more than 1000/1500 members depending on server version).

 

My customer ended up applying this really simple workaround: get all groups for a user (around 100 or so in his case), and look for the desired group in that array of groups.

 

Note that this is not an issue on .NET Framework 4.0, which implements range retrieval now.

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)

 

  • There also seems to be a problem with recursive membership.

    For example, the user is a member of group A, and group A is a member of group B.

    "user.GetAuthorizationGroups()" includes group B;

    "groupB.GetMembers(true)" includes the user;

    "user.IsMemberOf(groupB)" returns false.

Page 1 of 1 (1 items)
Leave a Comment
  • Please add 5 and 3 and type the answer here:
  • Post
Translate This Page