There's a report that claims IADsUser::Groups does not find recursive group memberships.

      If this is the case, this affects everyone using ActiveDirectoryAuthenticationProvider. MSDN documentation doesn't say it one way or the other. Some local testing is required.

      Unfortunately, IADsGroup don't seem to have the property that lists other groups that the group belongs to, making it impossible to recursively discover all the groups that the user belongs to.

      Another lead is to see how .NET does this. See WindowsPrincipal.IsInRole

          [JENKINS-28856] ADSI fails to find recursive groups

          James Nord added a comment - - edited

          setup a 2012r2 AD server with 2 users and 4 groups (using 2 of the groups as intermediate).

          Verified that using ADSI that the recursive groups are not found.
          Had to switch from ADSI mode to get recursive groups working.

          Jenkins 1.625.2, AD plugin 1.41

          James Nord added a comment - - edited setup a 2012r2 AD server with 2 users and 4 groups (using 2 of the groups as intermediate). Verified that using ADSI that the recursive groups are not found. Had to switch from ADSI mode to get recursive groups working. Jenkins 1.625.2, AD plugin 1.41

            Unassigned Unassigned
            kohsuke Kohsuke Kawaguchi
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: