none
Return only changed members from Active Directory Group using .NET DirectorySearcher RRS feed

  • Question

  • We are trying to synchronize user accounts in a service with those accounts in an Active Directory.

    The candidate technology is  now .NET, DirectorySearcher,  and "Polling for Changes Using USNChanged" (https://msdn.microsoft.com/en-us/library/ms677627.aspx).

    I need to know about modifications involving both users and selected groups. Efficient tracking all operations (new objects, deletion, rename, move, etc.) seems feasible, except group membership change.

    The problem: When user's membership changes, the user's object's is not modified (uSNChanged is not modified), instead, the group object's uSNChanged is incremented. All we know is, there was a change in the group. To find out which user's membership really changed, I must download and enumerate the entire member set (, that can be more thousands in our case).

    Is there a way to retrieve only the changed members?


    Tuesday, May 10, 2016 1:43 PM

Answers

  • Hi fairlane_73,

    >>Is there a way to retrieve only the changed members?

    We can check DirectorySearcher Class from MSDN doc.

    There is a Filter property to search filters enable filtering for specific objects by searching for objects based on attributes associated to the object.

    Here is a sample. Please refer to the following link.

    https://msdn.microsoft.com/en-us/library/ms180883(vs.80).aspx

    But it is hard to write a changed user filter condition. There is no way to define it.

    I also searched an nice article about Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement)

    Search Methods

    • GetUser – This will return a UserPrincipal Object if the User exists

    User Account Methods

    • SetUserPassword – This method will set the Users Password
    • EnableUserAccount – This method will Enable a User Account
    • DisableUserAccount – This method will Disable the User Account
    • ExpireUserPassword – This method will Force Expire a Users Password
    • UnlockUserAccount – This method will unlock a User Account
    • CreateNewUser – This method will create a new User Directory Object
    • DeleteUser – This method will delete an AD User based on Username

    Group Methods

    • CreateNewGroup – This method will create a New Active Directory Group
    • AddUserToGroup – This method will add a User to a group
    • RemoveUserFromGroup – This method will remove a User from a Group
    • IsUserGroupMember – This method will validate whether the User is a Member of a Group
    • GetUserGroups – This method will return an ArrayList of a User Group Memberships

    From above functions, we can do almost in Active Directory Group except get changed user. So per my understanding, you cannot do that using .NET DirectorySearcher.

    If I misunderstood you, please feel free to let me know.

    Best regards,

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by fairlane_73 Tuesday, May 17, 2016 7:34 AM
    Wednesday, May 11, 2016 2:56 AM

All replies

  • Hi fairlane_73,

    >>Is there a way to retrieve only the changed members?

    We can check DirectorySearcher Class from MSDN doc.

    There is a Filter property to search filters enable filtering for specific objects by searching for objects based on attributes associated to the object.

    Here is a sample. Please refer to the following link.

    https://msdn.microsoft.com/en-us/library/ms180883(vs.80).aspx

    But it is hard to write a changed user filter condition. There is no way to define it.

    I also searched an nice article about Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement)

    Search Methods

    • GetUser – This will return a UserPrincipal Object if the User exists

    User Account Methods

    • SetUserPassword – This method will set the Users Password
    • EnableUserAccount – This method will Enable a User Account
    • DisableUserAccount – This method will Disable the User Account
    • ExpireUserPassword – This method will Force Expire a Users Password
    • UnlockUserAccount – This method will unlock a User Account
    • CreateNewUser – This method will create a new User Directory Object
    • DeleteUser – This method will delete an AD User based on Username

    Group Methods

    • CreateNewGroup – This method will create a New Active Directory Group
    • AddUserToGroup – This method will add a User to a group
    • RemoveUserFromGroup – This method will remove a User from a Group
    • IsUserGroupMember – This method will validate whether the User is a Member of a Group
    • GetUserGroups – This method will return an ArrayList of a User Group Memberships

    From above functions, we can do almost in Active Directory Group except get changed user. So per my understanding, you cannot do that using .NET DirectorySearcher.

    If I misunderstood you, please feel free to let me know.

    Best regards,

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by fairlane_73 Tuesday, May 17, 2016 7:34 AM
    Wednesday, May 11, 2016 2:56 AM
  • Thank You, Kristin.

    I'm afraid your answer confirms my findings, updates at the property (and sub-property) level cannot be filtered for uSNChanged value through LDAP queries.

    This is actually sad, because it seems, the bookkeeping inside the Active Directories has enough information for such queries, but LDAP itself is not expressive enough to form such queries.

    (If someone is interested, Microsoft describes their AD replication model in
    https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx ,
    two thing are clear based on this document:
    - The fine grade bookkeeping for changes in multi valued properties are tracked since Windows Server 2003 (see "Group Membership Replication in Windows Server 2003 Forests" section)
    - AD replication itself does not rely on the LDAP API. They use a separate, more powerful RPC based API internally.)

    Tuesday, May 17, 2016 7:34 AM