[python-win32] Is this user a member of a given Active Directory group?

Tim Golden mail at timgolden.me.uk
Mon Aug 4 15:29:24 CEST 2008 

Vernon Cole wrote:
> My company makes use of Active Directory to determine what rights a 
> given user has in an application system. If the user is a member of a 
> certain group, then (s)he has the right to perform some set of 
> functions. For example, if VCOLE is a member of WCPO-CREATE then I can 
> create new purchase orders. 

Maybe someone's already picked this up, in which case
sorry for the duplicate. (I'm away in Manchester at
the moment and only checking email occasionally).

The answer might be one of two things, depending on
how your app works. Conventionally, what one does is
to determine whether a given SID (representing an
access group such as WCPO-CREATE) is present and
enabled in the process token of the currently
logged-on token (which might be an impersonation
token). The alternative is to check the user's AD entry
for group membership, which is a whole different
set of APIs. The former suffers from the fact that
the logged-on token's groups might have been superseded
by some security change. ie if the user logged on at
8am then his token represents his group memberships
at that point. If he was denied some group at 8.30am
and it's now 9am, his token will still contain this
group but his AD group membership will show otherwise.

Assuming the first, then it's quite simple. You
use the CheckTokenMembership function in the
win32security module against the logged-on token.

I've created a (local) WCPO-CREATE group and put
myself in it. This, then is the test I would use:
[using 4 spaces which I think you prefer :) ]

<code>
import win32security

GROUP_NAME = "WCPO-CREATE"

sid, system, type = win32security.LookupAccountName (
     None, GROUP_NAME
)
if win32security.CheckTokenMembership (
     None, sid
):
     print "I am in", GROUP_NAME
else:
     print "I am not in", GROUP_NAME

</code>

If you had a local group which shadowed an AD group,
you'd need to specify a domain or a DC name as the
first param of the LookupAccountName. Using None
as the first of the params to CheckTokenMembership
should use the process token even if it's an
impersonation token. This is generally what you
want.

TJG

More information about the python-win32 mailing list