SharePoint 2003: Getting roles for domaingroup users

In SharePoint 2003, consider a user who is a member of a domaingroup that has rights to SharePoint, but the user hasn’t been added to SharePoint explicitly (i.e. only the domaingroup has been added). When you get an SPUser object for that user (ie. currentWeb.AllUsers[“domain\userlogin”]) the roles (aka SharePoint groups) property is empty, even though the user inherits roles from the domain group. I have found this a big headache when trying to code role specific functionality. The solution I eventually came up with is as follows:

using System;
using System.Security.Principal;
using Microsoft.SharePoint;
public static bool IsMemberOfRole(WindowsIdentity userId, SPWeb sourceWeb, string userLogin, string roleName)
    bool isMember = false;
    SPWeb rootWeb = sourceWeb.Site.RootWeb;
    SPRole spRole = rootWeb.Roles[roleName];
    SPUser currentUser = sourceWeb.AllUsers[userLogin];
    foreach (SPUser roleUser in spRole.Users)
        if ((roleUser.IsDomainGroup && userIsMemberOfDomainGroup(userId, roleUser.LoginName)) ||
        roleUser.ID == currentUser.ID)
            isMember = true;
    return isMember;
private static bool userIsMemberOfDomainGroup(WindowsIdentity userId, string groupName)
    WindowsPrincipal p = new WindowsPrincipal(userId);
    return p.IsInRole(groupName);

To call…
using System.Security.Principal;
WindowsIdentity windowsId = (WindowsIdentity)this.Context.User.Identity;
if (UserHelper.IsMemberOfRole(windowsId, tmpWeb, CurrentUserLogon, "Administrator"))
    // Do something...

The only problem with the above solution is that it relys on the code having context containing the current WindowsIdentity. This means that the code will not run with an event handler (as event handlers run as the iis account for SharePoint – eg administrator) as opposed to the current user. The current user is listed in the listevent properties, but i cannot work out how to get a WindowsIdentity from this easily.

I would be really interested to hear if anyone has any alternative solutions to this problem. The only alternatives I found are as follows:

You May Also Like

About the Author: rnowik

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.