Vernon Cole wrote:
My company makes use of Active Directory to determine what rights a given user has in an application system. If the user is a member of a certain group, then (s)he has the right to perform some set of functions. For example, if VCOLE is a member of WCPO-CREATE then I can create new purchase orders.
Maybe someone's already picked this up, in which case sorry for the duplicate. (I'm away in Manchester at the moment and only checking email occasionally). The answer might be one of two things, depending on how your app works. Conventionally, what one does is to determine whether a given SID (representing an access group such as WCPO-CREATE) is present and enabled in the process token of the currently logged-on token (which might be an impersonation token). The alternative is to check the user's AD entry for group membership, which is a whole different set of APIs. The former suffers from the fact that the logged-on token's groups might have been superseded by some security change. ie if the user logged on at 8am then his token represents his group memberships at that point. If he was denied some group at 8.30am and it's now 9am, his token will still contain this group but his AD group membership will show otherwise. Assuming the first, then it's quite simple. You use the CheckTokenMembership function in the win32security module against the logged-on token. I've created a (local) WCPO-CREATE group and put myself in it. This, then is the test I would use: [using 4 spaces which I think you prefer :) ] <code> import win32security GROUP_NAME = "WCPO-CREATE" sid, system, type = win32security.LookupAccountName ( None, GROUP_NAME ) if win32security.CheckTokenMembership ( None, sid ): print "I am in", GROUP_NAME else: print "I am not in", GROUP_NAME </code> If you had a local group which shadowed an AD group, you'd need to specify a domain or a DC name as the first param of the LookupAccountName. Using None as the first of the params to CheckTokenMembership should use the process token even if it's an impersonation token. This is generally what you want. TJG _______________________________________________ python-win32 mailing list python-win32@python.org http://mail.python.org/mailman/listinfo/python-win32