[python-win32] Is this user a member of a given Active Directory group?

Vernon Cole vernondcole at gmail.com
Mon Aug 4 23:46:20 CEST 2008


Tim,
  You Da Man!
Vernon

based on your suggestion, I have:
<code>
import win32security

def testMemberOf(GROUP_NAME):
    try:
        sid, system, type = win32security.LookupAccountName(None,
GROUP_NAME)
    except:
        raise ValueError, '"%s" is not a valid group name'%GROUP_NAME
    return win32security.CheckTokenMembership(None, sid)
</code>

On Mon, Aug 4, 2008 at 7:29 AM, Tim Golden <mail at timgolden.me.uk> wrote:

> Vernon Cole wrote:
>
>> My company makes use of Active Directory to determine what rights a given
>> user has in an application system. If the user is a member of a certain
>> group, then (s)he has the right to perform some set of functions. For
>> example, if VCOLE is a member of WCPO-CREATE then I can create new purchase
>> orders.
>>
>
> Maybe someone's already picked this up, in which case
> sorry for the duplicate. (I'm away in Manchester at
> the moment and only checking email occasionally).
>
> The answer might be one of two things, depending on
> how your app works. Conventionally, what one does is
> to determine whether a given SID (representing an
> access group such as WCPO-CREATE) is present and
> enabled in the process token of the currently
> logged-on token (which might be an impersonation
> token). The alternative is to check the user's AD entry
> for group membership, which is a whole different
> set of APIs. The former suffers from the fact that
> the logged-on token's groups might have been superseded
> by some security change. ie if the user logged on at
> 8am then his token represents his group memberships
> at that point. If he was denied some group at 8.30am
> and it's now 9am, his token will still contain this
> group but his AD group membership will show otherwise.
>
> Assuming the first, then it's quite simple. You
> use the CheckTokenMembership function in the
> win32security module against the logged-on token.
>
> I've created a (local) WCPO-CREATE group and put
> myself in it. This, then is the test I would use:
> [using 4 spaces which I think you prefer :) ]
>
> <code>
> import win32security
>
> GROUP_NAME = "WCPO-CREATE"
>
> sid, system, type = win32security.LookupAccountName (
>    None, GROUP_NAME
> )
> if win32security.CheckTokenMembership (
>    None, sid
> ):
>    print "I am in", GROUP_NAME
> else:
>    print "I am not in", GROUP_NAME
>
> </code>
>
> If you had a local group which shadowed an AD group,
> you'd need to specify a domain or a DC name as the
> first param of the LookupAccountName. Using None
> as the first of the params to CheckTokenMembership
> should use the process token even if it's an
> impersonation token. This is generally what you
> want.
>
> TJG
> _______________________________________________
> python-win32 mailing list
> python-win32 at python.org
> http://mail.python.org/mailman/listinfo/python-win32
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-win32/attachments/20080804/7efd4873/attachment.htm>


More information about the python-win32 mailing list