Copying AD Users into a SharePoint 2010 SPGroup

NOTE - if you are using Active Directory and you have user profiles being synced from AD to SharePoint, you should be able to apply security directly to an AD group and have it work recursively (with limitations - http://technet.microsoft.com/en-us/library/cc261972.aspx). With a custom claims provider in one of the applications I'm working on I can't get the provider to recursively read group membership, I'm told it's a limitation of the provider. With all that said, the notes here discuss a workaround for my claims provider issue.

I've run into a problem with SharePoint 2010 configured for Claims auth where the claims provider wont recursively read group membership. So if you have a claims group configured with a child group that contains users, like this:

• my_master_group
  • User1
  • my_child_group
    • User2

And then try to assign my_master_group rights to a SharePoint site, only User1 picks up those rights. User2 is ignored. So only top level group members are ever granted rights. In my case, my source claims repository has complex nested group structure that is synced up with our orgs Active Directory. I have one master group that recursively holds all my group members and now I just want to get them into a SPGroup that I can then use for granting rights to my site. Here is my first stab at a rough solution for this, until the provider issue is resolved.

Create a scheduled task to copy AD members into a SPGroup

The plan is to first query AD, get a recursive list of my_master_group members and add them to the SharePoint group sp_my_master_group.

Get a list of AD Principal Objects

Insert Principals into a SharePoint Group