How to get user group membership based on his SID

Sep 13, 2010 at 3:59 PM


Is there a way to get a user groups membership based on his SID ?

I do not have the user password or kerberos token at the time I need this information.



Sep 13, 2010 at 4:09 PM

I recommend not going this route. What are you really trying to achieve?

It's a pretty common question, so the answer is that no, you cannot do this reliably, especially not if you have a situation with trusted domains. You also have to worry about nested and local group memberships. You can certainly do this or this.

Sep 13, 2010 at 4:24 PM

I have a java indexer that index windows shared drive, including security. When the user logs in I am able to get the list of groups he belongs to. This list is then used to assess user access rights in the indexer. This works fine.

Now I'd like to have a 'principal authentication mode' where the user logs in to the application by some mean and then the application, being trusted by the indexer, just have to pass the user name.

I wanted to avoid passing Kerberos token around because it makes integration more difficult. But I'll probably go down that road as the 'principal authentication' option is that difficult.

Thanks for the fast answer anyway. You built a nice library and I appreciate your work on JNA too.


Sep 14, 2010 at 1:04 AM

Interesting. Do tell us what you do and feel free to contribute any code to Waffle that's remotely related to this area.