WindowsPrincipal.IsInRole Method (String) (System.Security.Principal)

.NET Framework Class Library

WindowsPrincipal..::.IsInRole Method (String)

Determines whether the current principal belongs to the Windows user group with the specified name.

Namespace: System.Security.Principal
Assembly: mscorlib (in mscorlib.dll)

Syntax

Visual Basic (Declaration)

Public Overridable Function IsInRole ( _
    role As String _
) As Boolean

Visual Basic (Usage)

Dim instance As WindowsPrincipal
Dim role As String
Dim returnValue As Boolean

returnValue = instance.IsInRole(role)

public virtual bool IsInRole(
    string role
)

Visual C++

public:
virtual bool IsInRole(
    String^ role
)

JScript

public function IsInRole(
    role : String
) : boolean

Parameters

role: Type: System..::.String
The name of the Windows user group for which to check membership.

Return Value

Type: System..::.Boolean
true if the current principal is a member of the specified Windows user group; otherwise, false.

Implements

IPrincipal..::.IsInRole(String)

Remarks

When testing for newly created role information, such as a new user or a new group, it is important to log out and log in to force the propagation of role information within the domain. Not doing so can cause the IsInRole test to return false. This method is not supported on Windows 98 or Windows Millennium Edition.

For performance reasons, the IsInRole(SecurityIdentifier) overload is recommended as the preferable overload for determining the user's role.

Note:
In Windows Vista, User Account Control (UAC) determines the privileges of a user. If you are a member of the Built-in Administrators group, you are assigned two run-time access tokens: a standard user access token and an administrator access token. By default, you are in the standard user role. When you attempt to perform a task that requires administrative privileges, you can dynamically elevate your role by using the Consent dialog box. The code that executes the IsInRole method does not display the Consent dialog box. The code returns false if you are in the standard user role, even if you are in the Built-in Administrators group. You can elevate your privileges before you execute the code by right-clicking the application icon and indicating that you want to run as an administrator.

Note:

In Windows Vista, User Account Control (UAC) determines the privileges of a user. If you are a member of the Built-in Administrators group, you are assigned two run-time access tokens: a standard user access token and an administrator access token. By default, you are in the standard user role. When you attempt to perform a task that requires administrative privileges, you can dynamically elevate your role by using the Consent dialog box. The code that executes the IsInRole method does not display the Consent dialog box. The code returns false if you are in the standard user role, even if you are in the Built-in Administrators group. You can elevate your privileges before you execute the code by right-clicking the application icon and indicating that you want to run as an administrator.

For built-in roles, the role string should be in the form "BUILTIN\RoleNameHere". For example, to test for membership in the Windows administrator role, the string representing the role should be "BUILTIN\Administrators". Note that the backslash might need to be escaped. The following table lists the built-in roles.

Note:
The spelling for the BUILTIN roles in string format differs from the spelling used in the WindowsBuiltInRole enumeration. For example, the spelling for an administrator in the enumeration is "Administrator", not "Administrators". When using this overload, use the spelling for the role from the following table.

Built-in local groups
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Guests
BUILTIN\Account Operators
BUILTIN\Server Operators
BUILTIN\Print Operators
BUILTIN\Backup Operators
BUILTIN\Replicator

For machine-specific roles, the role string should be in the form "MachineName\RoleNameHere".

For domain-specific roles, the role string should be in the form "DomainName\RoleNameHere"; for example, "SomeDomain\Domain Users".

Note:
In the .NET Framework version 1.0, the role parameter is case-sensitive. In the .NET Framework version 1.1 and later, the role parameter is case-insensitive.

Examples

The following code example demonstrates the use of the WindowsPrincipal..::.IsInRole(String) method.

The strings BUILTIN\Administrators and BUILTIN\Users are used to determine whether the current principal is an administrator or a user. For the full code example, see the WindowsPrincipal..::.IsInRole(Int32) method.

Visual Basic

' Get the role using the string value of the role.
Console.WriteLine("{0}? {1}.", "Administrators", myPrincipal.IsInRole("BUILTIN\" + "Administrators"))
Console.WriteLine("{0}? {1}.", "Users", myPrincipal.IsInRole("BUILTIN\" + "Users"))

// Get the role using the string value of the role.
Console.WriteLine("{0}? {1}.", "Administrators",
    myPrincipal.IsInRole("BUILTIN\\" + "Administrators"));
Console.WriteLine("{0}? {1}.", "Users",
    myPrincipal.IsInRole("BUILTIN\\" + "Users"));

Platforms

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Version Information

.NET Framework

Supported in: 3.5, 3.0, 2.0, 1.1, 1.0

Reference

WindowsPrincipal Class

WindowsPrincipal Members

IsInRole Overload

System.Security.Principal Namespace

WindowsBuiltInRole