Geeks With Blogs
Lee Brandt's Blog You're only as smart as your last line of code

I have a small page I need to write for my company to list all empoyees. This in effect becomes the in-house phone roster. Makes sense, right? I though it'd be no problem. I know I can manipulate AD from an ASP.NET page, so I'll put together this app no problems. OK, my hubris got the best of me. I queried the AD Directory service no problem:

DirectoryEntry server = new DirectoryEntry();
DirectorySearcher searcher = new DirectorySearcher();
searcher.SearchRoot = server;
searcher.SearchScope = SearchScope.Subtree;
searcher.Sort = new SortOption("CN", SortDirection.Ascending);
searcher.Filter = "(&(objectClass=group) (CN=EmployeeGroup))";
SearchResult group = searcher.FindOne();

Well, that's simple enough. This returns the group EployeeGroup from Active Directory. Now I just need to list all the users in that group. Not so fast. The employees are not actuall in EmployeeGroup, they are in groups that are in the EmployeeGroup. Well, ok that should be a problem. See that line that says:

searcher.SearchScope = SearchScope.Subtree;

I believe that means to search the entire directory tree for whatever it is you're searching for. But that's not entirely acurate. At least not in the way I think about tree structures. WHat I ended up doing (and if anyone who knows AD better than me knows a better way to do it, please comment) is recursively getting users and then remocving the duplicates from the list of users (in case someone is in more than one group in this group). Like this:

// created a member List that the recursive function can populate
private static List employees= new List();
// then in a main method, i start the recursion
... code from above
if (group != null) {
  FindGroupMembers(group.GetDirectoryEntry());
}
// this is the recursive method
public static void FindGroupMembers(DirectoryEntry entry) {
  object members = entry.Invoke("members");
  foreach (object item in (IEnumerable)members) {
    DirectoryEntry member = new DirectoryEntry(item);
    if (member.SchemaClassName == "group") {
      FindGroupMembers(member);
    } else {
      if (!employees.Contains(member.Name))
        employees.Add(string.Format("name={0} control={1}",
                      member.Properties["CN"][0],
                      member.Properties["userAccountControl"][0]));
  }
 }
}

It ends up being a lot like crawling a folder (ahem, directory) tree. The problem seems to be that Active Directory doesn't actually make a tree. it seems to be more disconnected than that. So searching for the users wiithin a group seems to only work with the Invoke("members") method. I had originally assumed that to get all the users of a group, you would just:


DirectoryEntry server = new DirectoryEntry("LDAP://CN=EmployeeGroup,DC=sub,DC=domain,DC=com");
DirectorySearcher searcher = new DirectorySearcher();
searcher.SearchRoot = server;
searcher.SearchScope = SearchScope.Subtree;
searcher.Sort = new SortOption("CN", SortDirection.Ascending);
searcher.Filter = "(objectClass=user)";
SearchResultCollection results = searcher.FindAll();
Console.WriteLine(string.Format("Found {0} members", results.Count));
foreach(SearchResult result in results){
  Console.WriteLine(string.Format("CN={0}, Path={1}", result.Properties["CN"][0], result.Path));
}

But no matter how I arrange it, the EmployeeGroup always returns 0 results. Am I missing something?

My recursion solution takes way too long to run (nearly 7 seconds!!!), so I am going to have to find another solution.

Any help would be appreciated.

~L

 

Posted on Thursday, April 3, 2008 1:13 PM Learning , Active Directory | Back to top


Comments on this post: (IN)Active Directory

# re: (IN)Active Directory
Requesting Gravatar...
Just curious - do these user objects have their primary group set to the "Employee" group or has the primary group membership been left alone? I've seen in the past similar behavior if the primary group is set to the group you're searching against...though I'll admit I haven't done as much DirectoryServices programming recently as I used to...worth a quick check at least.
Left by Lou on Apr 04, 2008 6:18 AM

# re: (IN)Active Directory
Requesting Gravatar...
Thanks for the feedback Lou. It seems the employees don't have their primary group as the "Employee" group. It seems to have been left alone. Will try to do some clean up and make sure the users are in the groups they belong in and try running the SubTree query again.

Thanks again,
~L
Left by Lee on Apr 04, 2008 9:47 AM

Your comment:
 (will show your gravatar)


Copyright © Lee Brandt | Powered by: GeeksWithBlogs.net