Active Directory query doesn't work...

G

Guest

Hello, everybody.

I'd like to do this: For a big program (a web service) I need information
about the usergroups an active-directory-user is member of. To be more
precise, I need to know if a particular user is in a particular group or not.
This is my first Active-Directory-query in a C#-program, so it might look
crude or primitive...well, it doesn't work anyway...

The interesting part of the code is this:

public bool GetADUserGroups(string userName, string gruppe)
{
bool ergebnis = false;

DirectoryEntry ebr = new
DirectoryEntry("LDAP://DOMAINE.DO","DOMAIN_USER","PASSWORD");

/*(do I need a domain admin for this or is a standard domain user
sufficient)*/

DirectorySearcher search = new DirectorySearcher(ebr);

/*(these are the many filter variants I tried. Except for the last one that
is not a comment, all terminated with errors)*/

//search.Filter = String.Format("(cn={0})", userName);

//search.Filter =
String.Format("&(objectClass=user)(userprincipalname={0})", userName);

//search.Filter = "&(objectClass=user)(userprincipalname=" +
userName + ")";

search.Filter = "(objectClass=user)";

/*(the username has the format "firstname.lastname", just like the login
name)*/

search.PropertiesToLoad.Add("memberOf");
search.PropertiesToLoad.Add("samAccountName");

foreach (SearchResult table in search.FindAll())
{
int groupCount = table.Properties["memberOf"].Count;

logger.LogInfo(table.Properties["samAccountName"].ToString());

if (table.Properties["samAccountName"].ToString() == userName)
{

for (int i = 0; i < groupCount; i++)
{

logger.LogInfo(table.Properties["memberOf"].ToString());

if (table.Properties["mebmerOf"].ToString() ==
gruppe)
{
ergebnis = true;
}
}
}
}


return ergebnis;
}



So, I'm finally there where I don't have any more ideas. I'm still trying,
but I'm feeling like any idea is a very long shot...

I'd be glad about any help you can provide. Many thanks in advance!
 
W

Willy Denoyette [MVP]

aziegler said:
Hello, everybody.

I'd like to do this: For a big program (a web service) I need information
about the usergroups an active-directory-user is member of. To be more
precise, I need to know if a particular user is in a particular group or not.
This is my first Active-Directory-query in a C#-program, so it might look
crude or primitive...well, it doesn't work anyway...

The interesting part of the code is this:

public bool GetADUserGroups(string userName, string gruppe)
{
bool ergebnis = false;

DirectoryEntry ebr = new
DirectoryEntry("LDAP://DOMAINE.DO","DOMAIN_USER","PASSWORD");

/*(do I need a domain admin for this or is a standard domain user
sufficient)*/

DirectorySearcher search = new DirectorySearcher(ebr);

/*(these are the many filter variants I tried. Except for the last one that
is not a comment, all terminated with errors)*/

//search.Filter = String.Format("(cn={0})", userName);

//search.Filter =
String.Format("&(objectClass=user)(userprincipalname={0})", userName);

//search.Filter = "&(objectClass=user)(userprincipalname=" +
userName + ")";

search.Filter = "(objectClass=user)";

/*(the username has the format "firstname.lastname", just like the login
name)*/

search.PropertiesToLoad.Add("memberOf");
search.PropertiesToLoad.Add("samAccountName");

foreach (SearchResult table in search.FindAll())
{
int groupCount = table.Properties["memberOf"].Count;

logger.LogInfo(table.Properties["samAccountName"].ToString());

if (table.Properties["samAccountName"].ToString() == userName)
{

for (int i = 0; i < groupCount; i++)
{

logger.LogInfo(table.Properties["memberOf"].ToString());

if (table.Properties["mebmerOf"].ToString() ==
gruppe)
{
ergebnis = true;
}
}
}
}


return ergebnis;
}



So, I'm finally there where I don't have any more ideas. I'm still trying,
but I'm feeling like any idea is a very long shot...

I'd be glad about any help you can provide. Many thanks in advance!
Click to expand...




Not really a C# question, you might get better responses when posting to the adsi NG,
anyway, following is a snip that illustrates how you can get the groups a user belongs to.

// bind to the Global Catalog
string rootPath = "GC://domaine.do/DC=..., DC=...";
//or
string rootPath = "LDAP://domaine.do/DC=..., DC=...";
..
string userAccount = "someUser";
..
using (DirectoryEntry root = new DirectoryEntry(rootPath, "domainuser", "password",
AuthenticationTypes.FastBind))
{
using (DirectorySearcher ds = new DirectorySearcher(root))
{
SearchResult sr = null;
ds.Filter = "(SAMAccountName=" + userAccount + ")";
sr = ds.FindOne();
using (DirectoryEntry user = sr.GetDirectoryEntry())
{
PropertyCollection pcoll = user.Properties;
PropertyValueCollection memberOf = pcoll["memberOf"];
foreach (string cnGroup in memberOf)
{
ds.Filter = cnGroup.Substring(0, cnGroup.IndexOf(','));
sr = ds.FindOne();
using (DirectoryEntry group = sr.GetDirectoryEntry())
{
Console.WriteLine(group.Properties["SAMAccountName"].Value.ToString());
}
}
}
}
}

Willy.
 
G

Guest

Thank you for the advice with the ADSI-group. They've told me a much easier
way to do what I wanted (using WindowsIdentity).

Thanks anyway for your efforts.


Willy Denoyette said:
aziegler said:
Hello, everybody.

I'd like to do this: For a big program (a web service) I need information
about the usergroups an active-directory-user is member of. To be more
precise, I need to know if a particular user is in a particular group or not.
This is my first Active-Directory-query in a C#-program, so it might look
crude or primitive...well, it doesn't work anyway...

The interesting part of the code is this:

public bool GetADUserGroups(string userName, string gruppe)
{
bool ergebnis = false;

DirectoryEntry ebr = new
DirectoryEntry("LDAP://DOMAINE.DO","DOMAIN_USER","PASSWORD");

/*(do I need a domain admin for this or is a standard domain user
sufficient)*/

DirectorySearcher search = new DirectorySearcher(ebr);

/*(these are the many filter variants I tried. Except for the last one that
is not a comment, all terminated with errors)*/

//search.Filter = String.Format("(cn={0})", userName);

//search.Filter =
String.Format("&(objectClass=user)(userprincipalname={0})", userName);

//search.Filter = "&(objectClass=user)(userprincipalname=" +
userName + ")";

search.Filter = "(objectClass=user)";

/*(the username has the format "firstname.lastname", just like the login
name)*/

search.PropertiesToLoad.Add("memberOf");
search.PropertiesToLoad.Add("samAccountName");

foreach (SearchResult table in search.FindAll())
{
int groupCount = table.Properties["memberOf"].Count;

logger.LogInfo(table.Properties["samAccountName"].ToString());

if (table.Properties["samAccountName"].ToString() == userName)
{

for (int i = 0; i < groupCount; i++)
{

logger.LogInfo(table.Properties["memberOf"].ToString());

if (table.Properties["mebmerOf"].ToString() ==
gruppe)
{
ergebnis = true;
}
}
}
}


return ergebnis;
}



So, I'm finally there where I don't have any more ideas. I'm still trying,
but I'm feeling like any idea is a very long shot...

I'd be glad about any help you can provide. Many thanks in advance!
Click to expand...




Not really a C# question, you might get better responses when posting to the adsi NG,
anyway, following is a snip that illustrates how you can get the groups a user belongs to.

// bind to the Global Catalog
string rootPath = "GC://domaine.do/DC=..., DC=...";
//or
string rootPath = "LDAP://domaine.do/DC=..., DC=...";
..
string userAccount = "someUser";
..
using (DirectoryEntry root = new DirectoryEntry(rootPath, "domainuser", "password",
AuthenticationTypes.FastBind))
{
using (DirectorySearcher ds = new DirectorySearcher(root))
{
SearchResult sr = null;
ds.Filter = "(SAMAccountName=" + userAccount + ")";
sr = ds.FindOne();
using (DirectoryEntry user = sr.GetDirectoryEntry())
{
PropertyCollection pcoll = user.Properties;
PropertyValueCollection memberOf = pcoll["memberOf"];
foreach (string cnGroup in memberOf)
{
ds.Filter = cnGroup.Substring(0, cnGroup.IndexOf(','));
sr = ds.FindOne();
using (DirectoryEntry group = sr.GetDirectoryEntry())
{
Console.WriteLine(group.Properties["SAMAccountName"].Value.ToString());
}
}
}
}
}

Willy.
Click to expand...
 
W

Willy Denoyette [MVP]

aziegler said:
Thank you for the advice with the ADSI-group. They've told me a much
easier
way to do what I wanted (using WindowsIdentity).
Click to expand...

True, but you asked about users in an AD, right? WindowsIdentity won't help
you find the groups a arbitrary user belongs to, it's only usable when using
the current user's Identity!


Willy.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Active Directory Properties not loading.... 1
Active directory 8
Update active directory user from Windows Service 2
How to get memberOf groups for a user in ldap ? 1
How can i connect LDAP and query AD to authorize Domain User Name and Password? 0
Active Directory FindOne Problems 7
AD w/ LDAP 2
Authenticate user in OpenLDAP with username and password 3

Top