Is it possible to have more than one entity/person listed as a manager of an AD group?
I have a distribution group created using Exchange. The group has multiple ManagedBy entities when viewed from the Exchange side.
When I query using DirectorySearcher AD only shows just one entry for ManagedBy, the first entry.
I can update the ManagedBy with a string value of a known user but using something like the below doesn't seem to work.
Code snippet A:
using (var context = new PrincipalContext(ContextType.Domain, _connection.Domain, _connection.ServiceUserName, _connection.ServicePassword))
{
using (var searcher = new PrincipalSearcher())
{
var sp = new GroupSearchPrincipal(context, groupDn);
searcher.QueryFilter = sp;
var groupSearch = searcher.FindOne();
if (groupSearch is null)
{
throw new Exception($"The Group with SamAccountName {groupDn} could not be found");
}
var directoryEntry = (DirectoryEntry)groupSearch.GetUnderlyingObject();
directoryEntry.Properties["managedBy"].Add(managerDn);
directoryEntry.CommitChanges();
directoryEntry.Close();
}
return SuccessResponse();
}
Committing the change yields the result shown in this screenshot:
The error possibly means that I'm adding a value that already exists with the included new value from 'managerDn'. Clearing the value seems to confirm this.
directoryEntry.Properties["managedBy"].Clear();
Are multiple managedBy entries exclusive to Exchange?
If the group was created with Exchange it'll likely contain the attribute
msExchCoManagedByLink
This identifies the additional ManagedBy entities I was looking for.
Related
I regularly read out the active directory for an application to store the current state in a database.
To reduce the amount of data I use DirectorySynchronization to get only the changes since the last query.
But now I also need the attribute "memberOf" which is not provided by the DirectorySearcher when using DirectorySynchronization.
At the moment I get the DirectoryEntry for each found entry, but then more attributes are delivered than I need, which contradicts the actual intention.
Is there a way to set which attributes are read with DirectoryEntry, similar to PropertiesToLoad with DirectorySearcher or is there better way to read the attribute "memberOf" when using DirectorySynchronization?
Code excerpt:
using System.DirectoryServices;
DirectoryEntry searchRoot = new DirectoryEntry(domain, username,password, AuthenticationTypes.Secure);
DirectorySearcher dirSearch = new DirectorySearcher(searchRoot);
dirSearch.PropertiesToLoad.Add("samaccountname");
dirSearch.PropertiesToLoad.Add("distinguishedname");
dirSearch.PropertiesToLoad.Add("mail");
//filter to user objects
dirSearch.Filter = "(objectCategory=person)";
dirSearch.Filter = "(objectClass=user)";
byte[] cookie = null;
DirectorySynchronization sync = new DirectorySynchronization(DirectorySynchronizationOptions.ObjectSecurity,cookie);
dirSearch.DirectorySynchronization = sync;
using (searchRoot)
{
using (SearchResultCollection results = dirSearch.FindAll())
{
foreach (SearchResult result in results)
{
DirectoryEntry dirEntry = result.GetDirectoryEntry();
List<string> memberOf = new List<string>();
PropertyValueCollection prop = dirEntry.Properties["memberof"];
foreach(var member in prop)
{
memberOf.Add((string)member);
}
}
}
cookie = sync.GetDirectorySynchronizationCookie();
}
But now I also need the attribute "memberOf" which is not provided by the DirectorySearcher when using DirectorySynchronization.
memberOf is a special attribute computed by the directory, so it's not provided by DirectorySynchronization (which uses in fact DirSync control). The only thing that could provide DirectorySynchronization is the directory's real modification, which belongs to a user's DN added to a group object in the member attribute (which kind of triggers a memberOf recomputation)
At the moment I get the DirectoryEntry for each found entry, but then more attributes are delivered than I need, which contradicts the actual intention.
GetDirectoryEntry performs a new directory search and loads all the attributes (it has no link with the DirectorySearcher settings and previous search).
So, instead of the GetDirectoryEntry, you can use another DirectorySearcher (that will load just the memberOf) that will do a single search on each loop (example without any strong tests, ie. null values etc.):
using (searchRoot)
{
using (SearchResultCollection results = dirSearch.FindAll())
{
// A new DirectorySearcher
DirectorySearcher anotherDirectorySearcher = new DirectorySearcher(searchRoot);
anotherDirectorySearcher.PropertiesToLoad.Add("memberOf");
foreach (SearchResult result in results)
{
// A new filter on each loop in order to look for an single entry
anotherDirectorySearcher.Filter = $"(samaccountname={(string)result.Properties["samaccountname"][0]})";
List<string> memberOf = new List<string>();
foreach(var member in anotherDirectorySearcher.FindOne().Properties["memberOf"])
{
memberOf.Add((string)member);
}
}
}
cookie = sync.GetDirectorySynchronizationCookie();
}
Note that:
dirSearch.Filter = "(objectCategory=person)";
// Here you override the previous one (the Filter property is a string)
dirSearch.Filter = "(objectClass=user)";
// If you want both, you can use:
dirSearch.Filter = "(&(objectCategory=person)(objectClass=user))";
I can search the user and find only the groups that the user belongs to. And now i want to return all the groups/roles and assign a user to a specific group/role.
DirectoryEntry and PrincipalContext doesn't work in my case and i have tried that for days.
This is my working code for searching user group/roles which is working fine.
How can i get all the groups/roles?
And Add user to a group/role
Container = “ou=containername,ou=xx,ou=xx,O=xxxxx”
Domain = “mydomain.com”
group = ou=groups,ou=containername,ou=xx,ou=xx,O=xxxx
List<string> roles = new List<string>();
SearchRequest request = new SearchRequest("", "(&(objectClass=person)(mail=myusername))", System.DirectoryServices.Protocols.SearchScope.Subtree);
SearchResponse response = (SearchResponse)con.SendRequest(request);
if (response.Entries.Count == 0)
{
return null;
}
else
{
foreach (SearchResultEntry entry in response.Entries)
{
if (entry.Attributes["member"] != null)
{
roles = (entry.Attributes["member"].GetValues(typeof(string))).ToArray().Select(r => r.ToString()
.Substring(r.ToString().IndexOf("cn=") + 3,
r.ToString().IndexOf(",") - 3))
.ToList();
}
}
}
return roles;
I don't think you're using Active Directory. What tipped me off is that you're getting data from the member attribute of a user. That's not how it works with Active Directory (it would be memberOf).
I'm not entirely sure what you're asking for. Your title mentioned "nested groups", which means when one group is a member of another group. So I assume that would mean that you want to find every group the user is a member of and all groups that those groups are members of, etc. If that's the case, you will really have to find out what type of server you're connecting to before anyone can give you a good answer on that.
But in your question you say "How can i get all the groups/roles?" So does that mean you just want to find every group that exists? To do that, you can just do a new search and use this as the filter:
(objectClass=group)
For adding a user to a group, I think it would be something like this (where userDn is the distinguishedName of the user you want to add, and groupDn is that of the group):
var mod = new DirectoryAttributeModification {
Name = "member",
Operation = DirectoryAttributeOperation.Add
}
mod.Add(userDn);
var response = (ModifyResponse) connectionObject.SendRequest(
new ModifyRequest {
DistinguishedName = groupDn,
Modifications = { mod }
}
);
But I've never actually used LdapConnection, so you might need to tweak it.
By default, the ADLDS or AD MemberOf (User object) Member (Group object) attribute is not retrieved.
Example Solution for User
SearchRequest request = new SearchRequest("", "(&(objectClass=user)(mail=myusername))", System.DirectoryServices.Protocols.SearchScope.Subtree);
request.Attributes.Add("memberOf");
or Group
SearchRequest request = new SearchRequest("", "(&(objectClass=group))", System.DirectoryServices.Protocols.SearchScope.Subtree);
request.Attributes.Add("member");
Default LDAP Filters and Attributes for Users, Groups and Containers
I have a user query that can't be done at an OU level. I am trying to only return users where they are a member of a group (I need to filter by the group string value, not the actual group object). Here is what it currently looks like:
using (var entry = new DirectoryEntry("LDAP://foo.net/DC=appName,DC=domainName,DC=com", Username, Password)) {
using (var searcher = new DirectorySearcher()) {
searcher.Filter = "(&(objectClass=user))";
searcher.SearchRoot = entry;
searcher.PropertiesToLoad.Add("memberOf");
foreach (SearchResult sr in searcher.FindAll()) {
var member = GetSearchResultProperty(sr, "memberOf");
}
}
}
This query goes across multiple OU's where there are different user and group containers.
Is there a way I can filter on the memberOf property when I execute my query (without specifying any sort of OU)?
Just add another term to the filter:
searcher.Filter = "(&(objectClass=user)(memberOf=myGroup))";
It looks like what I am trying to do isn't possible at the time of query execution because the memberOf property needs to be a full path to a group. In my case, I don't actually care about the group object, but, rather the group name (each OU will have different groups, but, could have the same group name). I had to take a different approach to solve this which could have performance implications later on. Just in case someone else finds this question looking for an answer, here is how I am solving it as of now:
using (var entry = new DirectoryEntry("LDAP://foo.net/DC=appName,DC=domainName,DC=com", Username, Password)) {
using (var searcher = new DirectorySearcher()) {
searcher.Filter = "(&(objectClass=user))";
searcher.SearchRoot = entry;
searcher.PageSize = 5000;
searcher.PropertiesToLoad.Add(DirectoryConstants.AD_PROPERTY_MEMBER_OF);
searcher.PropertiesToLoad.Add(DirectoryConstants.AD_PROPERTY_DISPLAY_NAME);
foreach (SearchResult sr in searcher.FindAll()) {
//The memberOf property will be a string array if the user is in multiple groups.
string[] memberOf = GetSearchResultProperties(sr, DirectoryConstants.AD_PROPERTY_MEMBER_OF);
//Check if the user is in the group by analyzing the string.
var group = memberOf.FirstOrDefault(m => m.StartsWith(string.Format("CN={0},", groupName)));
if (group != null) {
//The user is in the group!
}
}
}
}
You need to include the full distinguished name of the group in your search filter, as the memberOf property will contain that value.
searcher.Filter = "(&(objectClass=user)(memberOf=CN=myGroup,CN=groups,OU=theOU,DC=appName,DC=domainName,DC=com))";
EDIT :
My apologies, as I misread the question. Without including an OU, the only other way of doing this is taking the opposite approach, and locating the group object first :
searcher.Filter = "(&(objectClass=group)(name=Your Group Name)"
Then iterate through the DirectoryEntry using it's properties :
foreach(object dn in group.Properties["member"] )
{
string DistinguishedName = dn.ToString();
}
If you're retrieving more than 1,000+ users though, you'll need to take a more segmented approach, which is detailed in this article.
If I run 'net group /domain' on the Windows command line, I get a list of "global groups" for the current domain server. I want to get the same list from my .NET code.
Googling around I find thousands of "How to get the groups a user belongs to", "How to get the users that belong to a group", etc. I just want the list of all global groups; not those associated with a particular user. Can someone show me the code for this, or reference from which that code could be derived?
This code will find all Global groups in the current domain:
using (var context = new PrincipalContext(ContextType.Domain))
using (var filter = new GroupPrincipal(context) { GroupScope = GroupScope.Global })
using (var searcher = new PrincipalSearcher(filter))
{
var groups = searcher.FindAll();
}
I am looking to get a list of all of the groups that a user is a member of in Active Directory, both explicitly listed in the memberOf property list as well as implicitly through nested group membership. For example, if I examine UserA and UserA is a part of GroupA and GroupB, I also want to list GroupC if GroupB is a member of GroupC.
To give you a bit more insight into my application, I will be doing this on a limited basis. Basically, I want a security check occasionally that will list these additional memberships. I will want to differentiate the two but that shouldn't be hard.
My problem is that I have not found an efficient way to make this query work. The standard text on Active Directory (This CodeProject Article) shows a way to do this that is basically a recursive lookup. That seems terribly inefficient. Even in my small domain, a user might have 30+ group memberships. That means 30+ calls to Active Directory for one user.
I've looked into the following LDAP code to get all of the memberOf entries at once:
(memberOf:1.2.840.113556.1.4.1941:={0})
where {0} would be my LDAP path (ex: CN=UserA,OU=Users,DC=foo,DC=org). However, it does not return any records. The downside of this method, even if it worked, would be that I wouldn't know which group was explicit and which was implicit.
That is what I have so far. I would like to know if there is a better way than the CodeProject article and, if so, how that could be accomplished (actual code would be wonderful). I am using .NET 4.0 and C#. My Active Directory is at a Windows 2008 functional level (it isn't R2 yet).
Thirst thanks for this an interesting question.
Next, just a correction, you say :
I've looked into the following LDAP code to get all of the memberOf entries at once:
(memberOf:1.2.840.113556.1.4.1941:={0})
You don't make it work. I remember I make it work when I learnt about its existence, but it was in an LDIFDE.EXE filter. So I apply it to ADSI in C# and it's still working. There were too much parenthesis in the sample I took from Microsoft, but it was working (source in AD Search Filter Syntax).
According to your remark concerning the fact that we don't know if a user explicitly belongs to the group I add one more request. I know this is not very good, but it's the best I'am abable to do.
static void Main(string[] args)
{
/* Connection to Active Directory
*/
DirectoryEntry deBase = new DirectoryEntry("LDAP://WM2008R2ENT:389/dc=dom,dc=fr");
/* To find all the groups that "user1" is a member of :
* Set the base to the groups container DN; for example root DN (dc=dom,dc=fr)
* Set the scope to subtree
* Use the following filter :
* (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)
*/
DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
dsLookFor.Filter = "(member:1.2.840.113556.1.4.1941:=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)";
dsLookFor.SearchScope = SearchScope.Subtree;
dsLookFor.PropertiesToLoad.Add("cn");
SearchResultCollection srcGroups = dsLookFor.FindAll();
/* Just to know if user is explicitly in group
*/
foreach (SearchResult srcGroup in srcGroups)
{
Console.WriteLine("{0}", srcGroup.Path);
foreach (string property in srcGroup.Properties.PropertyNames)
{
Console.WriteLine("\t{0} : {1} ", property, srcGroup.Properties[property][0]);
}
DirectoryEntry aGroup = new DirectoryEntry(srcGroup.Path);
DirectorySearcher dsLookForAMermber = new DirectorySearcher(aGroup);
dsLookForAMermber.Filter = "(member=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)";
dsLookForAMermber.SearchScope = SearchScope.Base;
dsLookForAMermber.PropertiesToLoad.Add("cn");
SearchResultCollection memberInGroup = dsLookForAMermber.FindAll();
Console.WriteLine("Find the user {0}", memberInGroup.Count);
}
Console.ReadLine();
}
In my test tree this give :
LDAP://WM2008R2ENT:389/CN=MonGrpSec,OU=MonOu,DC=dom,DC=fr
adspath : LDAP://WM2008R2ENT:389/CN=MonGrpSec,OU=MonOu,DC=dom,DC=fr
cn : MonGrpSec
Find the user 1
LDAP://WM2008R2ENT:389/CN=MonGrpDis,OU=ForUser1,DC=dom,DC=fr
adspath : LDAP://WM2008R2ENT:389/CN=MonGrpDis,OU=ForUser1,DC=dom,DC=fr
cn : MonGrpDis
Find the user 1
LDAP://WM2008R2ENT:389/CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr
adspath : LDAP://WM2008R2ENT:389/CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr
cn : MonGrpPlusSec
Find the user 0
LDAP://WM2008R2ENT:389/CN=MonGrpPlusSecUniv,OU=ForUser1,DC=dom,DC=fr
adspath : LDAP://WM2008R2ENT:389/CN=MonGrpPlusSecUniv,OU=ForUser1,DC=dom,DC=fr
cn : MonGrpPlusSecUniv
Find the user 0
(edited)
'1.2.840.113556.1.4.1941' is not working in W2K3 SP1, it begins to work with SP2. I presume it's the same with W2K3 R2. It's supposed to work on W2K8. I test here with W2K8R2. I'll soon be able to test this on W2K8.
If there is no way other than recursive calls (and I don't believe there is) then at least you can let the framework do the work for you: see the UserPrincipal.GetAuthorizationGroups method (in the System.DirectoryServices.AccountManagement namespace and introduced in .Net 3.5)
This method searches all groups
recursively and returns the groups in
which the user is a member. The
returned set may also include
additional groups that system would
consider the user a member of for
authorization purposes.
Compare with the results of GetGroups ("Returns a collection of group objects that specify the groups of which the current principal is a member") to see whether the membership is explicit or implicit.
Use the ldap filter recursively but query for all groups returned after each query to reduce the number of round trips.
Ex:
Get all groups where user is a member
Get all groups where Step 1 Groups are members
Get all groups where Step 2 Groups are members
...
In my experience there are rarely more then 5 but should definitiely be much less then 30.
Also:
Make sure to only pull the properties
you are going to need back.
Caching results can significantly aid
performance but made my code much
more complicated.
Make sure to utilize connection pooling.
Primary group has to be handled seperately
you can utilize the tokenGroups and tokenGroupsGlobalAndUniversal properties if you are on Exchange server.
tokenGroups will give you all the security groups this user belongs to, including nested groups and domain users, users, etc
tokenGroupsGlobalAndUniversal will include everything from tokenGroups AND distribution groups
private void DoWorkWithUserGroups(string domain, string user)
{
var groupType = "tokenGroupsGlobalAndUniversal"; // use tokenGroups for only security groups
using (var userContext = new PrincipalContext(ContextType.Domain, domain))
{
using (var identity = UserPrincipal.FindByIdentity(userContext, IdentityType.SamAccountName, user))
{
if (identity == null)
return;
var userEntry = identity.GetUnderlyingObject() as DirectoryEntry;
userEntry.RefreshCache(new[] { groupType });
var sids = from byte[] sid in userEntry.Properties[groupType]
select new SecurityIdentifier(sid, 0);
foreach (var sid in sids)
{
using(var groupIdentity = GroupPrincipal.FindByIdentity(userContext, IdentityType.Sid, sid.ToString()))
{
if(groupIdentity == null)
continue; // this group is not in the domain, probably from sidhistory
// extract the info you want from the group
}
}
}
}
}
If you are using .NET 3.5 or higher you can use the System.DirectoryServices.AccountManagement namespace which really makes this easy.
See the related answer here: Active Directory nested groups
static List<SearchResult> ad_find_all_members(string a_sSearchRoot, string a_sGroupDN, string[] a_asPropsToLoad)
{
using (DirectoryEntry de = new DirectoryEntry(a_sSearchRoot))
return ad_find_all_members(de, a_sGroupDN, a_asPropsToLoad);
}
static List<SearchResult> ad_find_all_members(DirectoryEntry a_SearchRoot, string a_sGroupDN, string[] a_asPropsToLoad)
{
string sDN = "distinguishedName";
string sOC = "objectClass";
string sOC_GROUP = "group";
string[] asPropsToLoad = a_asPropsToLoad;
Array.Sort<string>(asPropsToLoad);
if (Array.BinarySearch<string>(asPropsToLoad, sDN) < 0)
{
Array.Resize<string>(ref asPropsToLoad, asPropsToLoad.Length+1);
asPropsToLoad[asPropsToLoad.Length-1] = sDN;
}
if (Array.BinarySearch<string>(asPropsToLoad, sOC) < 0)
{
Array.Resize<string>(ref asPropsToLoad, asPropsToLoad.Length+1);
asPropsToLoad[asPropsToLoad.Length-1] = sOC;
}
List<SearchResult> lsr = new List<SearchResult>();
using (DirectorySearcher ds = new DirectorySearcher(a_SearchRoot))
{
ds.Filter = "(&(|(objectClass=group)(objectClass=user))(memberOf=" + a_sGroupDN + "))";
ds.PropertiesToLoad.Clear();
ds.PropertiesToLoad.AddRange(asPropsToLoad);
ds.PageSize = 1000;
ds.SizeLimit = 0;
foreach (SearchResult sr in ds.FindAll())
lsr.Add(sr);
}
for(int i=0;i<lsr.Count;i++)
if (lsr[i].Properties.Contains(sOC) && lsr[i].Properties[sOC].Contains(sOC_GROUP))
lsr.AddRange(ad_find_all_members(a_SearchRoot, (string)lsr[i].Properties[sDN][0], asPropsToLoad));
return lsr;
}
static void Main(string[] args)
{
foreach (var sr in ad_find_all_members("LDAP://DC=your-domain,DC=com", "CN=your-group-name,OU=your-group-ou,DC=your-domain,DC=com", new string[] { "sAMAccountName" }))
Console.WriteLine((string)sr.Properties["distinguishedName"][0] + " : " + (string)sr.Properties["sAMAccountName"][0]);
}