The IsInRole method of the WindowsPrincipal class does not work correctly (842794)


The information in this article applies to:

  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.0
  • Microsoft .NET Framework 1.0 SP1

SYMPTOMS

When you use the IsInRole method of the WindowsPrincipal class to determine whether the current user belongs to a specified Windows user group, the IsInRole method may not work correctly. This behavior may occur although the user is a member of the specified Windows user group.

CAUSE

This problem occurs if one of the following conditions is true:
  • The user is not a member of the specified Windows user group in the current logon session.
  • The administrator has made changes in the Group Policy settings.
  • The role parameter is treated as case-sensitive by the IsInRole method in Microsoft .NET Framework 1.0.

    For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    816640 Role parameter is case sensitive for IsInRole method

  • The user belongs to many user groups, and you are using Microsoft .NET Framework 1.0 Service Pack 1.

    For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    321562 FIX: Role-based authentication fails for users who belong to many groups

WORKAROUND

To work around this problem, use the following methods:
  • Use correct naming and capitalization conventions.
  • Use the correct group name.
  • Apply the changes.

Use correct naming and capitalization conventions

When you are using the .NET Framework 1.0, the role string in the IsInRole method must be named as follows:
  • The group name must be the same as when it was originally created.
  • For groups in a domain, the domain name must be capitalized.
  • For local groups, the computer name must be capitalized.

Use the correct group name

Indicate the correct group name in the role string of the IsInRole method:
  • For built-in groups, the role string must be:

    "BUILTIN\GroupName"

    For example, when you are checking whether the user is a member of the Administrators group, the string that represents the role string must be "BUILTIN\Administrators".
  • For local groups, the role string must be "COMPUTERNAME\GroupName".
  • For domain-specific groups, the role string must be "DOMAINNAME\GroupName".
To obtain the names of the groups where the current user is a member, run the Gpresult tool at the command prompt for the computers that are running Microsoft Windows 2000 or later versions.

Apply the changes

After any changes are made to the Group Policy settings, run the Secedit tool or the Gpupdate tool at the command prompt to apply the changes.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

298444 A description of the Group Policy Update utility

227448 Using Secedit.exe to force Group Policy to be applied again

STATUS

This behavior is by design.

REFERENCES

For more information, visit the following Microsoft Developer Network (MSDN) Web site:

WindowsPrincipal.IsInRole Method (String)
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemsecurityprincipalwindowsprincipalclassisinroletopic2.asp

Modification Type:MinorLast Reviewed:7/6/2004
Keywords:kbpolicy kbGPO kbValidation kbUser kbprb KB842794 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.