How can I get a list of memebers of an AD Group? RRS feed

  • Question

  • User1789156440 posted
        I am trying to connect to our LDap server, and given a certain AD Group, return the members of that group (possibly in an array of strings of usernames). Could someone help with this?
    Monday, July 24, 2006 10:13 AM

All replies

  • User1354132231 posted
    What have you tried so far?
    Monday, July 24, 2006 11:04 AM
  • User1789156440 posted
    I noticed on part of our web site that someone used asp to get the AD groups someone belongs to given their user name.  I am trying to do this in ASP.NET. I followed the instructions here: http://msdn.microsoft.com/en-us/library/ms180890.aspx but it did not really help. I am simply trying to get a list of users that belong to a particular AD group on our LDAP server.
    Monday, July 24, 2006 11:22 AM
  • User1354132231 posted
    These are two different things.  Are you trying to get the user's group membership, or are you trying to get the membership of a group?

    That particular code you are referring to is pure crap and should not have been published.

    Depending on which one you want, I can point you to resources either way.
    Monday, July 24, 2006 12:19 PM
  • User1789156440 posted
    Trying to get the members of the a particular AD group.  So like, given the AD group name "IT_Providers" for example, I would like to: a.) restrict access to certain pages only to those in this AD group, and b.) print out the user names of the AD group.  Thanks. Like I said, I saw how this was done on a particular .asp page, but I am trying to do it w/ ASP.NET ex) aspx and C# .
    Monday, July 24, 2006 2:00 PM
  • User1354132231 posted
    Read this post and its related one from my blog.  This is how you would expand group membership given a group.

    Separately (and not really related at all), if you want to restrict users by role to a specific page, you should look into role providers or using integrated security.  These authentication methods put the roles on the user's security context for the ASP.NET app.  You can then use declarative security in your web.config (see the <location> tag) or the IsInRole method from the IPrincipal interface to make these authorization decisions.

    Monday, July 24, 2006 3:19 PM
  • User1789156440 posted
    How about this?
    Wednesday, July 26, 2006 9:42 AM
  • User1354132231 posted
    I am not sure what you are asking...

    How about what?  The article?  The style?  The technique?
    Wednesday, July 26, 2006 2:39 PM
  • User1789156440 posted
    I tried it, but I can't get it to work.
    should the connection be like this?
    "LDAP://MySite.com/dc=MySite,dc=com" or like "LDAP://MySite.com/cn=TheGroupIWant,dc=MySite,dc=com" or what?

    Basically, this should not be as difficult as I am finding it to be. I simply want to connect to your LDAP server, and view the members of a givin AD group using ASP.NET and C#. I'm just frustrated because I have spent days on this now.

    Thanks for your help by the way.
    Wednesday, July 26, 2006 2:53 PM
  • User1354132231 posted
    So, I am gathering that you are having issues constructing a valid LDAP string.  It is not too hard once you get the hang of it, but can be confusing at first.  The LDAP string has this format:

    LDAP://{server:port}/{distinguished name}

    In AD, the server and port information are optional in some cases, so that is why you often only see the DN portion.  If you were to use the code I showed you, it is expecting a DirectoryEntry that represents the group that you want to expand.

    Let's illustrate by example - suppose my AD looks like this:

        - CN=Users
        - OU=Domain Groups
           - OU=Resource Groups
              -CN=Group I Care About

    I would construct my LDAP path by going from deepest to shallowest:

    CN=Group I Care About,OU=Resource Groups,OU=Domain Groups,DC=domain,DC=com

    Of course, your exact wording will be specific to your AD instance, but you should get the idea.  Once you know the path to the group, it is easy to construct your DirectoryEntry:

    DirectoryEntry group = new DirectoryEntry(
        LDAP://CN=Group I Care About,OU=.... blah",

    Now, you can use this with the code I showed you previously.
    Wednesday, July 26, 2006 5:50 PM