Tim, You Da Man! Vernon based on your suggestion, I have: <code> import win32security
def testMemberOf(GROUP_NAME): try: sid, system, type = win32security.LookupAccountName(None, GROUP_NAME) except: raise ValueError, '"%s" is not a valid group name'%GROUP_NAME return win32security.CheckTokenMembership(None, sid) </code> On Mon, Aug 4, 2008 at 7:29 AM, Tim Golden <[EMAIL PROTECTED]> wrote: > Vernon Cole wrote: > >> My company makes use of Active Directory to determine what rights a given >> user has in an application system. If the user is a member of a certain >> group, then (s)he has the right to perform some set of functions. For >> example, if VCOLE is a member of WCPO-CREATE then I can create new purchase >> orders. >> > > Maybe someone's already picked this up, in which case > sorry for the duplicate. (I'm away in Manchester at > the moment and only checking email occasionally). > > The answer might be one of two things, depending on > how your app works. Conventionally, what one does is > to determine whether a given SID (representing an > access group such as WCPO-CREATE) is present and > enabled in the process token of the currently > logged-on token (which might be an impersonation > token). The alternative is to check the user's AD entry > for group membership, which is a whole different > set of APIs. The former suffers from the fact that > the logged-on token's groups might have been superseded > by some security change. ie if the user logged on at > 8am then his token represents his group memberships > at that point. If he was denied some group at 8.30am > and it's now 9am, his token will still contain this > group but his AD group membership will show otherwise. > > Assuming the first, then it's quite simple. You > use the CheckTokenMembership function in the > win32security module against the logged-on token. > > I've created a (local) WCPO-CREATE group and put > myself in it. This, then is the test I would use: > [using 4 spaces which I think you prefer :) ] > > <code> > import win32security > > GROUP_NAME = "WCPO-CREATE" > > sid, system, type = win32security.LookupAccountName ( > None, GROUP_NAME > ) > if win32security.CheckTokenMembership ( > None, sid > ): > print "I am in", GROUP_NAME > else: > print "I am not in", GROUP_NAME > > </code> > > If you had a local group which shadowed an AD group, > you'd need to specify a domain or a DC name as the > first param of the LookupAccountName. Using None > as the first of the params to CheckTokenMembership > should use the process token even if it's an > impersonation token. This is generally what you > want. > > TJG > _______________________________________________ > python-win32 mailing list > python-win32@python.org > http://mail.python.org/mailman/listinfo/python-win32 >
_______________________________________________ python-win32 mailing list python-win32@python.org http://mail.python.org/mailman/listinfo/python-win32