# VBForums CodeBank > CodeBank - ASP / ASP.NET / MVC / Web API >  Check if user is a member of an Active Directory Group

## silentthread

*With the help of some threads in this forum, I was able to put this together.*

This is a function that you pass it the username and the AD group. If it finds a match, it returns true, else false. That way you can control what users can see on the webpage based on their AD rights.

To use the code below, you must be able to get the username. I believe you need to turn of anonymous access on the virtual directory, via mycomputer, right-click, manage, default website etc.

Add this to your webconfig file....



```
<identity impersonate="true" />
```

And call something like....

dim NTLogin as string = Replace(Environment.UserName, "Mydomain\", "")

To remove the domain name. If you still have problems getting the username, there are many threads in this forum that assist with that.   :Wink:  

Okay, Here is the function for checking if a user is a member of an AD group.
Please post questions, concerns, comments, suggestions, etc.



VB Code:
Public Function Check_If_Member_Of_AD_Group(ByVal username As String, _
    ByVal grouptoCheck As String, _
    ByVal domain As String, _
    ByVal ADlogin As String, _
    ByVal ADpassword As String) _
    As Boolean
         'This is a function that receives a username to see if it's a
        'member of a specific group in AD.
          Try
            'First let's put the whole thing in a nice big try catch, and
            'catch any errors.
             Dim EntryString As String
            EntryString = "LDAP://" & domain
            'Above, we setup the LDAP basic entry string.
             Dim myDE As DirectoryEntry
            'Above, I dimension my DirectoryEntry object
              grouptoCheck = grouptoCheck.ToLower()
            'The groups returned may have different combinations of
            'lowercase and uppercase, so let's go ahead
            'and make grouptoCheck lowercase.
              If (ADlogin <> "" AndAlso ADpassword <> "") Then
                'If they provided a password, then add it
                'as an argument to the function
                'I recently learned about AndAlso, and it's pretty
                'cool. Basically it does not worry about checking
                'the next condition if the first one is not true.
                myDE = New DirectoryEntry(EntryString, ADlogin, ADpassword)
                'Above, we create a new instance of the Directory Entry
                'Includes login and password
            Else
                'Else, use the account credentials of the machine 
                'making the request. You might not be able to get 
                'away with this if your production server does not have 
                'rights to query Active Directory.
                'Then again, there are workarounds for anything.
                myDE = New DirectoryEntry(EntryString)
                'Above, we create a new instance of the Directory Entry
                'Does not include login and password
            End If
             Dim myDirectorySearcher As New DirectorySearcher(myDE)
            'Above we create new instance of a DirectorySearcher
            'We also specify the Directory Entry as an argument.
             myDirectorySearcher.Filter = "sAMAccountName=" & username
            'Above we specify to filter our results where
            'sAMAccountName is equal to our username passed in.
            myDirectorySearcher.PropertiesToLoad.Add("MemberOf")
            'We only care about the MemberOf Properties, and we
            'specify that above.
             Dim myresult As SearchResult = myDirectorySearcher.FindOne()
            'SearchResult is a node in Active Directory that is returned
            'during a search through System.DirectoryServices.DirectorySearcher
            'Above, we dim a myresult object, and assign a node returned
            'from myDirectorySearcher.FindOne()
            'I've never heard of similar login Id's in Active Directory, 
            'so I don't think we need to call FindAll(), so Instead 
            'we call FindOne()
              Dim NumberOfGroups As Integer
            NumberOfGroups = myresult.Properties("memberOf").Count() - 1
            'Above we get the number of groups the user is a memberOf, 
            'and store it in a variable. It is zero indexed, so we
            'remove 1 so we can loop through it.
             Dim tempString As String
            'A temp string that we will use to get only what we
            'need from the MemberOf string property
             While (NumberOfGroups >= 0)
                tempString = myresult.Properties("MemberOf").Item(NumberOfGroups)
                tempString = tempString.Substring(0, tempString.IndexOf(",", 0))
                'Above we set tempString to the first index of "," starting
                'from the zeroth element of itself.
                tempString = tempString.Replace("CN=", "")
                'Above, we remove the "CN=" from the beginning of the string
                tempString = tempString.ToLower() 'Lets make all letters lowercase
                tempString = tempString.Trim()
                'Finnally, we trim any blank characters from the edges
                 If (grouptoCheck = tempString) Then
                    Return True
                End If
                'If we have a match, the return is true
                'username is a member of grouptoCheck
                 NumberOfGroups = NumberOfGroups - 1
            End While
              'If the code reaches here, there was no match.
            'Return false
            Return False
          Catch ex As Exception
             HttpContext.Current.Response.Write("Error: <br><br>" & ex.ToString)
         End Try
      End Function

----------


## silentthread

I want to mention that a buddy of mine mentioned to me that this function does not search for nested group memberships. If  you want to tackle that one, then go for it.  :Big Grin: 

If I ever need something like that, then I will put something together.

----------


## silentthread

*2 things to note.......*

a- If you are placing this on a production asp.net server, you will need to provide the LDAP account in the following fashion.....
mydomainblablah\bubbasLDAP_account
The prefixing of the domain is not important on your localhost though.

b- If you need to search nested group memberships, this can really beat up your asp.net server. We recently created an app that copies all the information from active directory into a SQL database. This copying happens automatically everynight. 
This method of querying nested group memberships from a SQL database has drastically increased our web applications performance.

----------


## luca90

hi silentthread and sorry me..
But this code is in VB.net?
I need a similar code to check if member is in group but in vb classic, have one?
Tks.

----------


## silentthread

It should not be too hard. Sorry, I don't have that handy. You might want to look for sites like this one.....
http://labs.developerfusion.co.uk/co...to-csharp.aspx
in which they convert to different languages. I doubt though that someone will have a vb.net to vb code converter.

----------


## jrhyne2584

> *2 things to note.......*
> 
> a- If you are placing this on a production asp.net server, you will need to provide the LDAP account in the following fashion.....
> mydomainblablah\bubbasLDAP_account
> The prefixing of the domain is not important on your localhost though.
> 
> b- If you need to search nested group memberships, this can really beat up your asp.net server. We recently created an app that copies all the information from active directory into a SQL database. This copying happens automatically everynight. 
> This method of querying nested group memberships from a SQL database has drastically increased our web applications performance.


Can you reference some resources on how you copied AD to SQL?  I'd be interested in pursuing this.

----------


## zurab0274

> Can you reference some resources on how you copied AD to SQL?chat room software  I'd be interested in pursuing this.


there is a tool coming along with sql management studio (import/export data), you can use it to transfer database from any regular format to sql

----------


## Hernandes

Thank you silentthread.

Its helps me a lot. I needed the function in C#, so I translate it. Think I could post this here, beside it is a VB forum.



```
        public Boolean Check_If_Member_Of_AD_Group(String username, String grouptoCheck, String domain, String ADlogin, String ADpassword)
        {
            //This is a function that receives a username to see if it's a
            //member of a specific group in AD.
            try
            {
                //'First let's put the whole thing in a nice big try catch, and
                //'catch any errors.
                String EntryString;
                EntryString = "LDAP://" + domain;
                //'Above, we setup the LDAP basic entry string.
                DirectoryEntry myDE;
                //'Above, I dimension my DirectoryEntry object
                grouptoCheck = grouptoCheck.ToLower();
                //'The groups returned may have different combinations of
                //'lowercase and uppercase, so let's go ahead
                //'and make grouptoCheck lowercase.
                if (ADlogin != "" && ADpassword != "")
                {
                    //'If they provided a password, then add it
                    //'as an argument to the function
                    //'I recently learned about AndAlso, and it's pretty
                    //'cool. Basically it does not worry about checking
                    //'the next condition if the first one is not true.
                    myDE = new DirectoryEntry(EntryString, ADlogin, ADpassword);
                    //'Above, we create a new instance of the Directory Entry
                    //'Includes login and password
                }
                else
                {
                    //'Else, use the account credentials of the machine
                    //'making the request. You might not be able to get
                    //'away with this if your production server does not have
                    //'rights to query Active Directory.
                    //'Then again, there are workarounds for anything.
                    myDE = new DirectoryEntry(EntryString);
                    //'Above, we create a new instance of the Directory Entry
                    //'Does not include login and password
                }
                DirectorySearcher myDirectorySearcher = new DirectorySearcher(myDE);
                //'Above we create new instance of a DirectorySearcher
                //'We also specify the Directory Entry as an argument.
                myDirectorySearcher.Filter = "sAMAccountName=" + username;
                //'Above we specify to filter our results where
                //'sAMAccountName is equal to our username passed in.
                myDirectorySearcher.PropertiesToLoad.Add("MemberOf");
                myDirectorySearcher.PropertiesToLoad.Add("Name");
                //'We only care about the MemberOf Properties, and we
                //'specify that above.
                SearchResult myresult = myDirectorySearcher.FindOne();
                //'SearchResult is a node in Active Directory that is returned
                //'during a search through System.DirectoryServices.DirectorySearcher
                //'Above, we dim a myresult object, and assign a node returned
                //'from myDirectorySearcher.FindOne()
                //'I've never heard of similar login Id's in Active Directory,
                //'so I don't think we need to call FindAll(), so Instead
                //'we call FindOne()
                if(myresult.Properties["Name"].Count > 0)
                {
                    loggedName = myresult.Properties["Name"][0].ToString();
                }

                Int32 NumberOfGroups;
                NumberOfGroups = myresult.Properties["memberOf"].Count - 1;
                //'Above we get the number of groups the user is a memberOf,
                //'and store it in a variable. It is zero indexed, so we
                //'remove 1 so we can loop through it.
                String tempString;
                //'A temp string that we will use to get only what we
                //'need from the MemberOf string property
                while (NumberOfGroups >= 0)
                {
                    tempString = myresult.Properties["MemberOf"][NumberOfGroups].ToString();
                    tempString = tempString.Substring(0, tempString.IndexOf(",", 0));
                    //'Above we set tempString to the first index of "," starting
                    //'from the zeroth element of itself.
                    tempString = tempString.Replace("CN=", "");
                    //'Above, we remove the "CN=" from the beginning of the string
                    tempString = tempString.ToLower(); //'Lets make all letters lowercase
                    tempString = tempString.Trim();
                    //'Finnally, we trim any blank characters from the edges
                    if (grouptoCheck == tempString)
                    {
                        return true;
                    }
                    //'If we have a match, the return is true
                    //'username is a member of grouptoCheck
                    NumberOfGroups = NumberOfGroups - 1;
                }
                //'If the code reaches here, there was no match.
                //'Return false
                return false;
            }

            catch (Exception ex)
            {
                HttpContext.Current.Response.Write("Error: <br><br>" + ex.ToString());
            }
            return false;
        }
```

Tks again.
Hernandes Moreira

----------

