I have a need to find all the nested groups in a particular group 1 layer down. The problem I have is the code below usually works, but for some groups it does not.
If I use Windows Explorer to search for a particular group (click on the Network icon, then click on 'Search Active Directory', I can see the members and nested groups within the parent group. But through code using System.DirectoryServices.AccountManagement on 3.5 Framework, var Groups = MyGroup.GetGroups(); can't see the nested groups of some groups. I thought it was a permissions thing, but if i can see inside the group from my own manual search mentioned above, then I assume the code running from the same account should be able to see the same thing too. Is there something different I should try?
For what its worth, I'm using a script task on top of Framework 3.5 inside of a SSIS package. Also in the same package, searching for groups from a user principle object instead of a group principle works fine.
And for clarity, when I run this code
PrincipalContext AD = new PrincipalContext(ContextType.Domain, "ctx", "mypath");
GroupPrincipal myGroup = GroupPrincipal.FindByIdentity(AD, "myparentgroup");
var nestedgroups = myGroup.GetGroups();
"Nestedgroups" is null when it should contain my nested groups.
The problem I had was I used var Groups = MyGroup.GetGroups(); when I should have used var Groups = MyGroup.GetMembers();. Putting that behind a link statement allowed me to get all the objects I was looking for because .GetMembers() includes users and groups. Hope that helps.
Related
I am extremely new to Active Directory and to Azure, as will likely be obvious from my question. I am using the MVC Directory Graph Sample as a reference. I am able to do most of the things that I am attempting but I ran into a problem:
I have a hierarchy of Groups and Users in Azure Active Directory where I have two levels of groups (e.g. GroupA contains GroupB and GroupC, GroupD contains GroupE...). Users can be in, theoretically, any combination of these groups (e.g. GroupA, GroupD and GroupE).
I pass two strings to my MVC project controller where each string is the ID of a Group in my Azure Active Directory. I want to load only the User objects that overlap in the two Groups, i.e. only the Users that are in both groups.
Following along with one of the example projects from MSDN, I am able to load a list of all of the users in one of the Groups like so:
Group groupA = DirectoryService.groups.Where(it => (it.objectId == GroupAId)).SingleOrDefault();
DirectoryService.LoadProperty(groupA , "members");
List<User> usersListA = groupA.members.OfType<User>().ToList();
Duplicating this for the second list, I can then intersect the two:
Group groupB = DirectoryService.groups.Where(it => (it.objectId == GroupBId)).SingleOrDefault();
DirectoryService.LoadProperty(groupB , "members");
List<User> usersListB = groupA.members.OfType<User>().ToList();
List<User> finalList = usersListA.Intersect(usersListB);
Basically, I'm loading both lists fully... my question is - is there a better way to do this?
For example, after I've loaded the list of Users from GroupA, is there a way for me to filter the list to include only those who belong to GroupB? Something along the lines of:
//<Incorrect syntax>
List<User> finalList = groupA.Where(user => user.memberOf("GroupB"));
//</Incorrect syntax>
No, there is currently no way to do this server-side, if that's what you are looking for.
I'm looking into fetching a list of Active Directory groups within an OU which have no parent groups using C# .NET.
I found a PowerShell command which looked hopeful, Get-QADGroup (http://wiki.powergui.org/index.php/Get-QADGroup), but I couldn't find a parameter that would filter for groups that have no parent groups.
I could iterate through the groups in the OU and check if each has a parent group or not, but I'd like to consider alternatives. Is this possible through an LDAP query?
You can simply check if memberOf is not populated.
The LDAP filter would be (&(objectCategory=group)(!memberOf=*)). The following PowerShell example would return all groups that are not members of any other groups.
Import-Module ActiveDirectory
$ldapFilter = '(&(objectCategory=group)(!(memberOf=*)))'
Get-ADObject -LDAPFilter $ldapFilter
here is my problem: I need to enumerate the members of certain groups in our Active Directory. The complication is that the DN of the objects that are in the 'membersOf' property of the groups do not contain the identifier I need. Specifically, the CN of the user object is useless to me, only a property of the user object (the userID) is useful.
So three approaches comes to mind:
I can first enumerate the group to get a list of DN's in the group, and then do a lookup on each user DN to find out their userID
I can enumerate every user in the AD, grabbing their userID & their membersOf collection, and then check afterwards if they have the right memberships.
I could grab a list of all users with their CN's and userID's, and then enumerate the groups to get the member CN's. Then I could join the lists on the original list to get my list of member userID's.
Some problems immediately appear - option 1) will generate an extremely large number of subqueries and congest network traffic (undesirable), and option 2) pulls a HUGE amount of data from AD (something like 30mb). Option 3) is middle of the road - but it still pulls quite a bit of data and has multiple queries. Is there another option for how to do this which does not have these problems?
I am doing this in c# using the System.DirectoryServices tools.
Thank you in advance for your time and consideration.
Maybe there's an option #4, too:
you could set up a DirectorySearcher which enumerates users
you could define memberOf=....... as one of your search criteria
you can define what attributes you need from the directory searcher very easily
If this works (and I'm under the impression I got this to work before - but it's been quite a while!) then you could do one, single fairly focused search and automatically get your information that you need.
Try something like this:
// define the "root" of your search (where to begin)
DirectoryEntry searchRoot = new DirectoryEntry("LDAP://cn=users,dc=yourcompany,dc=com");
DirectorySearcher searcher = new DirectorySearcher(searchRoot);
// set properties
searcher.SearchScope = SearchScope.Subtree;
// define search filter
searcher.Filter = "(&(objectCategory=Person)(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))";
// define attributes to load
searcher.PropertiesToLoad.Add("userid");
... add more if needed .....
foreach(SearchResult entry in searcher.FindAll())
{
string userid = entry.Properties["userid"][0].ToString();
}
I've seen three types of group properties for an SPWeb object - Groups, SiteGroups, AssociatedGroups.
I understand that SiteGroups will fetch all the groups in the current site collection. But what is the difference between Groups and AssociatedGroups. MSDN definition says that Groups will get all the 'cross-site'(!) groups for that web site. AssociatedGroups are fairly easily to understand just from the very name.
So what does Groups return? Can somebody explain me with an example?
Groups return all groups which have security roles assigned to the current site.
AssociatedGroups return all groups visible in the left menu of the People and Group page. Those groups may not have access to the current site (if the security settings do not inherit from parent site). In this case, some of them will not be listed in the Groups property.
To view the difference, in a subsite, create a new group without giving any permission. The group will be visible in the AssociatedGroups and Left menu, but will not be listed in Groups or Site Permissions page.
I believe msdn has the answer
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spweb.sitegroups.aspx
Gets a collection that contains all the groups in the site collection.
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spweb.groups.aspx
Gets a collection that contains all the groups for the website. The following code example uses the Groups property to return the collection of groups for a specified site in the current site collection.
Which means, the SPGroup has been used in (ie assigned a permission in) the SPWeb somewhere.
I want to know if a given user is member of a group or not. Now, I don't know much about ActiveDirecory or Exchange servers, but in Outlook I can see that a user can be "memberOf" a group (and i can query those groups with DirectorySearcher.PropertiesToLoad.Add("memberof");), but there are also other groups that users are not actively members of, but that contain users. If you mail to those groups (or aliases) you reach all the users contained in it.
Basically, given a username (like DOMAIN\JDoe), how to check if it is contained in the group FUNNY_USERS in C#?
Use the System.DirectoryServices.AccountManagement namespace added in .Net 3.5 if it's available. Here's an example for group checking:
using(var pc = new PrincipalContext(ContextType.Domain))
using(var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, "DOMAIN\JDoe"))
using(var group = GroupPrincipal.FindByIdentity(pc, "FUNNY_USERS"))
{
return user.IsMemberOf(group);
}
Get all members in a group:
http://snipplr.com/view/4646/get-members-of-an-active-directory-distribution-group/
Once you have the list just loop through the usernames once.
Or:
Function to return all the groups the user is a member of
The users you see in Outlook is probably distribution groups. There are distribution groups and security groups in Active Directory. It seems like you want to check for either/or.
See my post at this similar question for an example in C# using only ldap calls