Hi
the first thing you need to know is that a user can be a member of many groups, including groups that one or more of the groups can be a member of.
When you search for groups a user is member of, you choose how to specify the user you are searching for membership. For example in our code to display Membership of for an object, we use this code for the search.
- Code: Select all
// OK, we need to kick off a search which returns all the groups this object is a member of
UDB_SEARCH_INFO Search;
Search.dwFlags = UDB_SEARCH_USESTRINGVALUE | UDB_SEARCH_ALLOBJECTS | UDB_SEARCH_MEMBEROF;
Search.strValue = m_strObjectGUID.c_str();
Search.dwField = UDB_SEARCH_FIELD_GUID;
Search.dwItems = 0;
Search.pContext = this;
Search.pCallbackFunc = GetMemberofCallbackFunc;
UDBHandle hSearch;
SPI::UDBSearchOpen(&Search, &hSearch);
SPI::UDBCloseHandle(hSearch);
So we take the GUID of the object (since not just user can be a member of a group, but also group, computer, security principal etc). then we specify that the search value is the GUID of the object in dwField.
Could use SID, but they are not always guaranteed unique or invariant. SID can be doubled up in some cases (e.g. well known security principals) and can change for a user if the user is moved to a different domain.
Note: can get the GUID of a user object with
- Code: Select all
HRESULT UDBObjectGetInfo(WinGateSDK::UDBHandle hObject, WinGateSDK::UDB_OBJECT_INFO** ppInfo);
HRESULT UDBObjectFreeInfo(WinGateSDK::UDB_OBJECT_INFO* pInfo);
Also note we free the handle after calling the search function, it's reference counted and cleaned up after last search result is delivered to the callback function. It's easier to do this than to check for end of search results and clean up search handle then (saves having to remember the handle). If you want to cancel the search however you would need to remember the search handle.
Regards
Adrien