Unable to get the list of domain member group for the user

during a logon attempt, the users security context accumulated too many security ids
failed to get non-gc connection to domain
what is the maximum number of groups a user can be a member? windows 10
kerberos token size nested groups
a local user can log on to multiple systems in a domain.

I am using below C# code to check whether the user is part of required domain member group.

The passing username is part of 3 member groups but the code is returning the first domain group member name and exit from the for loop. Please help me to get entire list of domain group for the user.

bool bReturn = false;
string sDomainName = System.Environment.UserDomainName;
using (PrincipalContext oContext = new     PrincipalContext(ContextType.Domain, sDomainName))
{
if (oContext.ValidateCredentials(sUserName, sPassword))
{
    using (PrincipalSearcher oSearcher = new PrincipalSearcher(new UserPrincipal(oContext)))
    {
        oSearcher.QueryFilter.SamAccountName = sUserName;
        Principal oPrincipal = oSearcher.FindOne();
        foreach (Principal oPrin in oPrincipal.GetGroups())
        {
            if (oPrin.Name.Trim().ToString().Equals(sGroupName))
            {
                bReturn = true;
                break;
            }
        }
    }
}

tell me if I got it wrong. I can only see one purpose, to return bool? btw, even if that's not the case, try removing break;

bool bReturn = false;

string sDomainName = System.Environment.UserDomainName;
using (PrincipalContext oContext = new     PrincipalContext(ContextType.Domain, sDomainName))
{
if (oContext.ValidateCredentials(sUserName, sPassword))
{
    using (PrincipalSearcher oSearcher = new PrincipalSearcher(new UserPrincipal(oContext)))
    {
        oSearcher.QueryFilter.SamAccountName = sUserName;
        Principal oPrincipal = oSearcher.FindOne();
        foreach (Principal oPrin in oPrincipal.GetGroups())
        {
            if (oPrin.Name.Trim().ToString().Equals(sGroupName))
            {
                //your stuff here (assign vars, values etc)
                bReturn = true; // <-- 
            }
        }
    }
}

because based on the logic that you use, if it meets one condition it will stop the loop.

Unable to retrieve cross domain users with get-adgroupmember , I think this is not a problem in your powershell script, but of the scope of the groups. The group scope has to be 'universal', to get the members  The c# code unable to fetch AD membership details coz of privilege issue. I have used net group "<GroupName>" to get the list of users as part of the group and then checked the required user in the list. It is one another option to verify the user is member of required group.

Instead of your loop, use the IsMemberOf method:

bReturn = oPrincipal.IsMemberOf(oContext, IdentityType.Name, sGroupName);

That will probably work for you. But keep in mind that this (and your loop method) will only work if the group is listed in the memberOf attribute of the user. If:

  1. You have more than one domain in your AD forest, and
  2. The group you are working with is Global or Domain Local, and
  3. The group is not on the same domain as the user

then it will not work.

I talk about that in one of the articles I wrote on my site: Find out if one user is a member of a group

Computer That Is Member Of A Domain Can't See Domain Groups , Your PC/Server has to be able to find the DCs and to do so needs to share the same DNS as the DCs. Active Directory is VERY sensitive to DNS and all clients​  When you see the group you want, select it. (Optional) To add the user to an additional group (or groups), search for and select the group. When you finish selecting groups, click Add. (Optional) To change a user’s role in a group, do the following: Under Role, click the Down arrow select the new role. Click Save.

The c# code unable to fetch AD membership details coz of privilege issue. I have used net group "<GroupName>" to get the list of users as part of the group and then checked the required user in the list.

It is one another option to verify the user is member of required group.

Logging on a user account that is a member of more than 1010 , The user might also be able to log on to one server in a domain, but not to another server To get a list of server-local groups and its members:. Option Three: To Add Users to Groups from Groups folder in Local Users and Groups. Option Four: To Remove Users from Groups from Groups folder in Local Users and Groups. Option Five: To Add User to Group in Command Prompt. Option Six: To Remove User from Group in Command Prompt.

Unable to add Active Directory users or groups to vCenter Server , "Cannot load the users for the selected domain / Error while cannot bind connection: [ldap://<Active Directory Domain Controller FQDN>, null]</time> Failed to get non-GC connection to domain <Active Directory Domain Name> in retry Run this command to view a list of domain controllers that are not  The Get-ADGroupMember cmdlet gets the members of an Active Directory group. Members can be users, groups, and computers. The Identity parameter specifies the Active Directory group to access. You can identify a group by its distinguished name, GUID, security identifier, or Security Account Manager

Mastering Microsoft Windows Server 2008 R2, In Chapter 23, you learned the forest is a group of domains built in relation to each other. When the user changes domains, it can't be a member of their original group. management; they need to ensure their people will be able to get to their data. ACL stands for access control list, a techie term for the security tab of a  When attempting to "Update" the Remote Desktop User list with my Domain group, The server (MyBox) does NOT show me the "Domain" in the list, ONLY the local host name (MyBox). My Resolution: Go into Windows DNS on the AD server, and change the domain (or subdomain) properties to use the "Dynamic DNS" mode - yes, the insecure mode.

Administrator's Guide to Active Directory, have to enter the fully qualified domain name of both the source and the In listing A, I've listed the command's syntax as it appears when you enter the not only will the move fail but also the group membership will be voided in the process. is the user object can be a member of the domain users group, even though the  Creating a vbscript to read user belongs to which group including nested group but unable to get nested group list Rate this: Please Sign up or sign in to vote.

Comments
  • possible duplicate: stackoverflow.com/questions/252882/…
  • you're are very funny :-)
  • foreach loop is executing only once even if the user is part of multiple domain gorup.
  • Thanks Gabriel Luci. Unfortunately the suggestion is not working because of user privilege.
  • Then you will need to fix that first.