none
DirectorySearcher for a user when I have a objectSID RRS feed

  • Question

  • I would like to find a user in AD using the DirectorSearcher class. All I have is an objectSID.

    filter "(&(objectClass=user)(sid=S-1-5-21-3026302946-1819051520-297497296-2925))" does not seem to work.


    Certified Geek

    Thursday, April 2, 2015 1:20 PM

Answers

  • Perhaps you can try a filter similar to the following, where you specify the distinguished name of the group:

    (memberOf=cn=MyGroup,ou=West,dc=MyDomain,dc=com)

    Edit: Also, you may need to enable referral chasing. See these links:

    https://msdn.microsoft.com/en-us/library/aa772250(v=vs.85).aspx

    http://technet.microsoft.com/en-us/ie/aa746453(v=vs.71).aspx

    I have used ADS_CHASE_REFERRALS_SUBORDINATE in the past.


    Richard Mueller - MVP Directory Services



    Thursday, April 2, 2015 3:29 PM
  • The only attributes of Active Directory users that indicates which OU the object resides in are distinguishedName and canonicalName. An LDAP filter cannot use canonicalName because it is operational, also called a constructed attribute (it isn't really saved in the AD database). And you cannot use the wildcard character with distinguishedName, so that isn't an option.

    Instead, you need to make the "base" of the query the distinguished name of the organizational unit. Then DirectorySearcher will only consider objects in the "base" you specified. If the "scope" is OneLevel, then only objects directly in the base are considered. The default scope of SubTree means the query considers all objects in the base, and in any child OU's or containers of the base.

    DirectorySearcher.SearchRoot is the "base" of the query. DirectorySearcher.SearchScope is the "Scope".

    To restrict the query to user objects, the suggested filter would be:

    (&(objectCategory=person)(objectClass=user))

    Otherwise, (objectClass=user) will include user and computer objects. If you use (objectCategory=person), you get both user and contact objects). The filter (objectCategory=user) retrieves also retrieves both user and contact objects.

    Richard Mueller - MVP Directory Services

    • Marked as answer by Arne MN Friday, April 3, 2015 12:14 PM
    Thursday, April 2, 2015 10:42 PM

All replies

  • Specify "objectSID" instead of "sid" in the clause.


    Richard Mueller - MVP Directory Services

    Thursday, April 2, 2015 2:47 PM
  • I tried objectSID, but no luck!

    I am trying to find all the users in a group. I have forest of domains. The users in a group may be different domains.


    Certified Geek



    • Edited by Arne MN Thursday, April 2, 2015 3:03 PM
    Thursday, April 2, 2015 2:57 PM
  • Perhaps you can try a filter similar to the following, where you specify the distinguished name of the group:

    (memberOf=cn=MyGroup,ou=West,dc=MyDomain,dc=com)

    Edit: Also, you may need to enable referral chasing. See these links:

    https://msdn.microsoft.com/en-us/library/aa772250(v=vs.85).aspx

    http://technet.microsoft.com/en-us/ie/aa746453(v=vs.71).aspx

    I have used ADS_CHASE_REFERRALS_SUBORDINATE in the past.


    Richard Mueller - MVP Directory Services



    Thursday, April 2, 2015 3:29 PM
  • Your solution works for a group. Next I need something that would work for an organizational unit.

    Certified Geek


    • Edited by Arne MN Thursday, April 2, 2015 5:25 PM
    Thursday, April 2, 2015 5:25 PM
  • The only attributes of Active Directory users that indicates which OU the object resides in are distinguishedName and canonicalName. An LDAP filter cannot use canonicalName because it is operational, also called a constructed attribute (it isn't really saved in the AD database). And you cannot use the wildcard character with distinguishedName, so that isn't an option.

    Instead, you need to make the "base" of the query the distinguished name of the organizational unit. Then DirectorySearcher will only consider objects in the "base" you specified. If the "scope" is OneLevel, then only objects directly in the base are considered. The default scope of SubTree means the query considers all objects in the base, and in any child OU's or containers of the base.

    DirectorySearcher.SearchRoot is the "base" of the query. DirectorySearcher.SearchScope is the "Scope".

    To restrict the query to user objects, the suggested filter would be:

    (&(objectCategory=person)(objectClass=user))

    Otherwise, (objectClass=user) will include user and computer objects. If you use (objectCategory=person), you get both user and contact objects). The filter (objectCategory=user) retrieves also retrieves both user and contact objects.

    Richard Mueller - MVP Directory Services

    • Marked as answer by Arne MN Friday, April 3, 2015 12:14 PM
    Thursday, April 2, 2015 10:42 PM