I have an application that uses ActiveDirecotry authorisation and it has been decided that it needs to support nested AD groups, e.g.:
MAIN_AD_GROUP
|
|-> SUB_GROUP
|
|-> User
So, the user in not directly a member of MAIN_AD_GROUP
. I'd like to be able to look for the user recursively, searching the groups nested in MAIN_AD_GROUP
.
The main problem is that I'm using .NET 3.5 and there is a bug in System.DirectoryServices.AccountManagement
in .NET 3.5 whereby the method UserPrincipal.IsMemberOf()
will not work for groups with more than 1500 users. So I can't use UserPrincipal.IsMemberOf()
and no, I can't switch to .NET 4 either.
I've worked around this last problem with the following function:
private bool IsMember(Principal userPrincipal, Principal groupPrincipal)
{
using (var groups = userPrincipal.GetGroups())
{
var isMember = groups.Any(g =>
g.DistinguishedName == groupPrincipal.DistinguishedName);
return isMember;
}
}
But userPrincipal.GetGroups()
only returns the groups of which the user is a direct member.
How can I get this to work with nested groups?