I am trying to get detailed information about a user's group membership using directory services queries to the global catalog. I don't want to useGetAuthorizationGroups() because it's flaky.
There are 2 domains: DomainA and DomainB. The global catalog server is a domain controller for DomainB. Finally, there is a user (UserA) which is part of DomainA.
I find UserA in the global catalog and look at the tokenGroups property to get the SIDs of all groups to which UserA belongs.
To my great surprise, I find that DomainB\Domain Users is included in the list.Why is this being included, given that UserA is not part of DomainB?
Here is the code I'm running:
using (DirectoryEntry gc =newDirectoryEntry("GC:")){string userPrincipalName ="UserA@DomainA.local";DirectoryEntry searchRoot =null;
gc.AuthenticationType=System.DirectoryServices.AuthenticationTypes.Secure;// There is only 1 child under "GC:".foreach(DirectoryEntry de in gc.Children){
searchRoot = de;break;}
using (searchRoot){SearchResult samResult;
using (var samSearcher =newDirectorySearcher()){// Find the user.
samSearcher.SearchRoot= searchRoot;
samSearcher.Filter="(userPrincipalName="+ userPrincipalName +")";
samSearcher.PropertiesToLoad.Add("distinguishedName");
samResult = samSearcher.FindOne();}List<byte[]> tokenGroups;
using (DirectoryEntry theUser = samResult.GetDirectoryEntry()){
theUser.RefreshCache(newstring[]{"tokenGroups"});
tokenGroups = theUser.Properties["tokenGroups"].Cast<byte[]>().ToList();IdentityReferenceCollection irc =newIdentityReferenceCollection(tokenGroups.Count);foreach(byte[] groupSidBytes in tokenGroups){
irc.Add(newSecurityIdentifier(groupSidBytes,0));}List<string> groupNames =
irc.Translate(typeof(NTAccount),true).Cast<NTAccount>().Select(a => a.Value.ToString()).ToList();return groupNames;}}}