Tasked with creating a login page that would allow members of two specific groups access to some controllers and actions in an MVC project, I set about to create a role provider for AD. I managed to get it configured with forms authentication, and to enumerate the groups to which an authenticated user belongs in AD.

It turns out, however, that the groups I was asked to set this up for, are not AD groups. I see lots of groups, but not the ones in question.

The request was based on the fact that these groups show up in the global address book from Exchange, but there doesn't seem to be a 1:1 relationship.

Is there any relationship?

There are two type of groups in Active Directory, distribution list and security group. Security group is used in the ACL while the distribution list is used mainly in the email list and other non-ACL related stuff.

• UserPrincipal.GetAuthorizationGroups() returns security groups only.
• UserPrincipal.GetGroups() returns security group as well as the distribution list.

Beware that unlike UserPrincipal.GetAuthorizationGroups(), UserPrincipal.GetGroups() returns only the immediate group that an user belongs to. If GroupA contains GroupB and GroupB contains UserX, userX.GetGroups() returns GroupB only but not GroupA.

Just a side note, there are bugs in .NET 3.5 SP1. UserPrincipal.GetGroups() may not work properly, you may like to check out this hotfix http://support.microsoft.com/kb/969166