How to get all the AD groups for a particular user

Question

I checked this post already  But it doesn t answer my question  I want to get all the active directory groups in which a particular user is a member   I ve written the following code  But I m not able to proceed further as I don t know how to give the filter and how to access the properties   class Program       static void Main string   args                DirectoryEntry de   new DirectoryEntry  LDAP   mydomain com            DirectorySearcher searcher   new DirectorySearcher de           searcher Filter      amp  ObjectClass group             searcher PropertiesToLoad Add  distinguishedName            searcher PropertiesToLoad Add  sAMAccountName            searcher PropertiesToLoad Add  name            searcher PropertiesToLoad Add  objectSid            SearchResultCollection results   searcher FindAll            int i   1          foreach  SearchResult res in results                        Console WriteLine  Result    Convert ToString i                  DisplayProperties  distinguishedName   res               DisplayProperties  sAMAccouontName   res               DisplayProperties  name   res               DisplayProperties  objectSid   res               Console WriteLine                       Console ReadKey               private static void DisplayProperties string property  SearchResult res                Console WriteLine   t    property           ResultPropertyValueCollection col   res Properties property           foreach  object o in col                        Console WriteLine   t t    o ToString                         Any ideas

User · Answer

Here is the code that worked for me   public ArrayList GetBBGroups WindowsIdentity identity        ArrayList groups   new ArrayList         try               String userName   identity Name          int pos   userName IndexOf                if  pos  gt  0  userName   userName Substring pos   1            PrincipalContext domain   new PrincipalContext ContextType Domain   riomc com            UserPrincipal user   UserPrincipal FindByIdentity domain  IdentityType SamAccountName  userName            DirectoryEntry de   new DirectoryEntry  LDAP   RIOMC com            DirectorySearcher search   new DirectorySearcher de           search Filter      amp  objectClass group  member     user DistinguishedName                 search PropertiesToLoad Add  samaccountname            search PropertiesToLoad Add  cn             String name          SearchResultCollection results   search FindAll            foreach  SearchResult result in results                        name    String result Properties  samaccountname   0               if  String IsNullOrEmpty name                                 name    String result Properties  cn   0                             GetGroupsRecursive groups  de  name                       catch                  return an empty list               return groups     public void GetGroupsRecursive ArrayList groups  DirectoryEntry de  String dn        DirectorySearcher search   new DirectorySearcher de       search Filter      amp  objectClass group    samaccountname     dn      cn     dn              search PropertiesToLoad Add  memberof         String group  name      SearchResult result   search FindOne        if  result    null  return       group     RIOMC     dn      if   groups Contains group                 groups Add group             if  result Properties  memberof   Count    0  return      int equalsIndex  commaIndex      foreach  String dn1 in result Properties  memberof                  equalsIndex   dn1 IndexOf      1           if  equalsIndex  gt  0                        commaIndex   dn1 IndexOf      equalsIndex   1               name   dn1 Substring equalsIndex   1  commaIndex - equalsIndex - 1               GetGroupsRecursive groups  de  name                       I measured it s performance in a loop of 200 runs against the code that uses the AttributeValuesMultiString recursive method  and it worked 1 3 times faster  It might be so because of our AD settings  Both snippets gave the same result though

User · Answer

I would like to say that Microsoft LDAP has some special ways to search recursively for all of memberships of a user    The Matching Rule you can specify for the  member  attribute   In particular  using the Microsoft Exclusive LDAP MATCHING RULE IN CHAIN rule for  member  attribute allows recursive nested membership searching   The rule is used when you add it after the member attribute  Ex    member 1 2 840 113556 1 4 1941   XXXXX   For the same Domain as the Account  The filter can use  lt SID S-1-5-21-XXXXXXXXXXXXXXXXXXXXXXX gt  instead of an Accounts DistinguishedName attribute which is very handy to use cross domain if needed   HOWEVER it appears you need to use the ForeignSecurityPrincipal  lt GUID YYYY gt  as it will not resolve your SID as it appears the  lt SID  gt  tag does not consider ForeignSecurityPrincipal object type   You can use the ForeignSecurityPrincipal DistinguishedName as well    Using this knowledge  you can LDAP query those hard to get memberships  such as the  Domain Local  groups an Account is a member of but unless you looked at the members of the group  you wouldn t know if user was a member     Get Direct Indirect Memberships of User  where SID is XXXXXX   string str      amp   objectCategory group  member 1 2 840 113556 1 4 1941   lt SID XXXXXX gt          Get Direct Indirect   Domain Local   Memberships of User  where SID is XXXXXX   string str2      amp   objectCategory group    groupType -2147483644  groupType 4   member 1 2 840 113556 1 4 1941   lt SID XXXXXX gt          TAA DAA    Feel free to try these LDAP queries after substituting the SID of a user you want to retrieve all group memberships of   I figure this is similiar if not the same query as what the PowerShell Command Get-ADPrincipalGroupMembership uses behind the scenes  The command states  If you want to search for local groups in another domain  use the ResourceContextServer parameter to specify the alternate server in the other domain    If you are familiar enough with C  and Active Directory  you should know how to perform an LDAP search using the LDAP queries provided   Additional Documentation       lt SID gt  Binding String  lt GUID gt  Binding String

User · Answer

Use tokenGroups   DirectorySearcher ds   new DirectorySearcher    ds Filter   String Format    amp  objectClass user  sAMAccountName  0      username   SearchResult sr   ds FindOne     DirectoryEntry user   sr GetDirectoryEntry    user RefreshCache new string      tokenGroups       for  int i   0  i  lt  user Properties  tokenGroups   Count  i          SecurityIdentifier sid   new SecurityIdentifier  byte    user Properties  tokenGroups   i   0       NTAccount nt    NTAccount sid Translate typeof NTAccount          do something with the SID or name  nt Value      Note  this only gets security groups

User · Answer

This is how I list all the groups  direct and indirect  for a specific Distinguished Name  The string 1 2 840 113556 1 4 1941 specifies LDAP MATCHING RULE IN CHAIN  This rule is limited to filters that apply to the DN  This is a special  quot extended quot  match operator that walks the chain of ancestry in objects all the way to the root until it finds a match  This method is 25 times faster than the UserPrincipal GetGroups   method in my testing  Note  The primary group  typically Domain Users  is not returned by this or GetGroups   method  To get the primary group name too  I ve confirmed this method works  Additionally  I found this list of LDAP filters extremely useful  private IEnumerable lt string gt  GetGroupsForDistinguishedName DirectoryEntry domainDirectoryEntry  string distinguishedName        var groups   new List lt string gt         if   string IsNullOrEmpty distinguishedName                 var getGroupsFilterForDn     quot   amp  objectCategory group  member 1 2 840 113556 1 4 1941   distinguishedName    quot           using  DirectorySearcher dirSearch   new DirectorySearcher domainDirectoryEntry                         dirSearch Filter   getGroupsFilterForDn              dirSearch PropertiesToLoad Add  quot name quot                 using  var results   dirSearch FindAll                                  foreach  SearchResult result in results                                        if  result Properties Contains  quot name quot                            groups Add  string result Properties  quot name quot   0                                                         return groups

User · Answer

Just query the  memberOf  property and iterate though the return  example               search PropertiesToLoad Add  memberOf                StringBuilder groupNames   new StringBuilder      stuff them in   delimited                  SearchResult result   search FindOne                    int propertyCount   result Properties  memberOf   Count                  String dn                  int equalsIndex  commaIndex                   for  int propertyCounter   0  propertyCounter  lt  propertyCount                      propertyCounter                                          dn    String result Properties  memberOf   propertyCounter                        equalsIndex   dn IndexOf      1                       commaIndex   dn IndexOf      1                       if  -1    equalsIndex                                                return null                                            groupNames Append dn Substring  equalsIndex   1                                    commaIndex - equalsIndex  - 1                        groupNames Append                                      return groupNames ToString      This just stuffs the group names into the groupNames string  pipe delimited  but when you spin through you can do whatever you want with them

User · Answer

The following example is from the Code Project article   Almost  Everything In Active Directory via C       userDn is a Distinguished Name such as      LDAP   CN Joe Smith OU Sales OU domain OU com  public ArrayList Groups string userDn  bool recursive        ArrayList groupMemberships   new ArrayList        return AttributeValuesMultiString  memberOf   userDn          groupMemberships  recursive      public ArrayList AttributeValuesMultiString string attributeName       string objectDn  ArrayList valuesCollection  bool recursive        DirectoryEntry ent   new DirectoryEntry objectDn       PropertyValueCollection ValueCollection   ent Properties attributeName       IEnumerator en   ValueCollection GetEnumerator         while  en MoveNext                  if  en Current    null                        if   valuesCollection Contains en Current ToString                                   valuesCollection Add en Current ToString                     if  recursive                                        AttributeValuesMultiString attributeName   LDAP                           en Current ToString    valuesCollection  true                                                       ent Close        ent Dispose        return valuesCollection      Just call the Groups method with the Distinguished Name for the user  and pass in the bool flag to indicate if you want to include nested   child groups memberships in your resulting ArrayList   ArrayList groups   Groups  LDAP   CN Joe Smith OU Sales OU domain OU com   true   foreach  string groupName in groups        Console WriteLine groupName       If you need to do any serious level of Active Directory programming in  NET I highly recommend bookmarking  amp  reviewing the Code Project article I mentioned above

User · Answer

This code works even faster  two 1 5 faster than my previous version        public List lt String gt  GetUserGroups WindowsIdentity identity                List lt String gt  groups   new List lt String gt              String userName   identity Name          int pos   userName IndexOf                if  pos  gt  0  userName   userName Substring pos   1            PrincipalContext domain   new PrincipalContext ContextType Domain   riomc com            UserPrincipal user   UserPrincipal FindByIdentity domain  IdentityType SamAccountName  userName      NGeodakov          DirectoryEntry de   new DirectoryEntry  LDAP   RIOMC com            DirectorySearcher search   new DirectorySearcher de           search Filter      amp  objectClass group  member     user DistinguishedName                 search PropertiesToLoad Add  cn            search PropertiesToLoad Add  samaccountname            search PropertiesToLoad Add  memberOf             SearchResultCollection results   search FindAll            foreach  SearchResult sr in results                        GetUserGroupsRecursive groups  sr  de                      return groups             public void GetUserGroupsRecursive List lt String gt  groups  SearchResult sr  DirectoryEntry de                if  sr    null  return           String group    String sr Properties  cn   0           if  String IsNullOrEmpty group                         group    String sr Properties  samaccountname   0                     if   groups Contains group                         groups Add group                      DirectorySearcher search          SearchResult sr1          String name          int equalsIndex  commaIndex          foreach  String dn in sr Properties  memberof                          equalsIndex   dn IndexOf      1               if  equalsIndex  gt  0                                commaIndex   dn IndexOf      equalsIndex   1                   name   dn Substring equalsIndex   1  commaIndex - equalsIndex - 1                    search   new DirectorySearcher de                   search Filter      amp  objectClass group    cn     name      samaccountname     name                          search PropertiesToLoad Add  cn                    search PropertiesToLoad Add  samaccountname                    search PropertiesToLoad Add  memberOf                    sr1   search FindOne                    GetUserGroupsRecursive groups  sr1  de

User · Answer

If you have a LDAP connection with a username and password to connect to Active Directory  here is the code I used to connect properly   using System DirectoryServices AccountManagement              Connection information var connectionString    LDAP   domain com DC domain DC com   var connectionUsername    your ad username   var connectionPassword    your ad password       Get groups for this user var username    myusername       Split the LDAP Uri var uri   new Uri connectionString   var host   uri Host  var container   uri Segments Count    gt  1   uri Segments 1            Create context to connect to AD var princContext   new PrincipalContext ContextType Domain  host  container  connectionUsername  connectionPassword       Get User UserPrincipal user   UserPrincipal FindByIdentity princContext  IdentityType SamAccountName  username       Browse user s groups foreach  GroupPrincipal group in user GetGroups          Console Out WriteLine group Name

User · Answer

PrincipalContext pc1   new PrincipalContext ContextType Domain   DomainName   UserAccountOU  UserName  Password   UserPrincipal UserPrincipalID   UserPrincipal FindByIdentity pc1  IdentityType SamAccountName  UserID    searcher Filter      amp  ObjectClass group  member       UserPrincipalID DistinguishedName

User · Answer

You should use System DirectoryServices AccountManagement   It s much easier   Here is a nice code project article giving you an overview on all the classes in this DLL   As you pointed out  your current approach doesn t find out the primary group   Actually  it s much worse than you thought   There are some more cases that it doesn t work  like the domain local group from another domain   You can check here for details   Here is how the code looks like if you switch to use System DirectoryServices AccountManagement   The following code can find the immediate groups this user assigned to  which includes the primary group   UserPrincipal user   UserPrincipal FindByIdentity new PrincipalContext  ContextType Domain   mydomain com    IdentityType SamAccountName   username    foreach  GroupPrincipal group in user GetGroups          Console Out WriteLine group

[c#] How to get all the AD groups for a particular user?

Examples related to c#

Examples related to .net

Examples related to active-directory

Examples related to ldap

Examples related to directoryservices