Hello, I am currently developing an application that needs to implement role-based security against roles defined as NT Groups. Here is the actual situation:
The servers are all W2K, but the Domain Controllers are Windows NT4. Domain users are mapped to domain groups which are mapped to local machine groups (don't ask why... it just is) In .NET I need a way to enumerate a user's local machine group membership and have tried various methods. (If you know of an easier way to do this, I'd really appreciate it!) 1. Use DirectoryEntry with WinNT://mycomputer/username to retrieve the user object. Cast to the IADsUSer NativeObject for navigation to enumerate groups. Unfortunately, I worry this may require elevated user rights to operate. (And it uses COM interop against activeds.tlb) 2. Set the PrincipalPolicy to WindowsPrincipal for the current AppDomain, retrieve and query the thread's WindowsPrincipal for role information. (This works great, but I can only ask IsInRole, I can't get all the roles) I would prefer to do this in a simple, .NET way with minimal COM interop, so I am leaning toward method 2. My question is this, the roles that the WindowsPrincipal uses are in the form "mycomputer\localgroupname" which poses deployment issues (with declarative security). I would like to create a GenericPrincipal with the roles "localgroupname" (strip off the local computer name). Is there an easy way to look at the roles stored in the WindowsPrincipal without having to repeatedly call .IsInRole()? Or is there an easier way to declarative security against the WindowsPrincipal? Namely: [PrincipalPermission(SecurityAction.Demand, Role="mycomputer\localgroupname")] - won't work because it hard codes the computer name? Thanks for your help, Joe Fourness You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
