locked
Filtering AD users based on disting RRS feed

  • Question

  • User-540818677 posted

    I have the following code inside my asp.net mvc web aaplication , to show all thr AD users:-

    public List<DomainContext> GetADUsers(string term=null)
            {
                string[] types = new string[] { "BranchA", "BranchB" };
                List<DomainContext> results = new List<DomainContext>();
                string ADServerName = System.Web.Configuration.WebConfigurationManager.AppSettings["ADServerName"];
                using (var context = new PrincipalContext(ContextType.Domain, ADServerName, "username", "password"))
                using (var searcher = new PrincipalSearcher(new UserPrincipal(context)))
                {
                    var searchResults = searcher.FindAll();
    
                
    
                    foreach (Principal p in searchResults)
                    {
                       if ((term == null || p.SamAccountName.ToString().ToUpper().StartsWith(term.ToUpper())) && (types.Contains(p.DistinguishedName)))

    but the above have returned all service accounts , such as sharepoint_searchserver . so i want to filter out the users to retrieve only the actual users. i try to filter by having users which contain our branches in their DistinguishedName , but this will return empty user list. so my question is how i can filter the AD to retrieve only actual users?

    Wednesday, January 8, 2014 11:52 AM

Answers

  • User1508394307 posted

    If BranchA is parent for BranchB then you can call "OU=BranchA,OU=BranchB,DC=domain,DC=com". If it is not the case, then you cannot combine them in the connection string, and need to call separately 

    "OU=BranchA,OU=BranchB,DC=domain,DC=com" 
    "OU=BranchB,OU=BranchB,DC=domain,DC=com"

    This still might be faster instead of calling all users and then checking their OU as per your original code.

    If you don't like it, just use my last example and check OU, but instead of

    types.Contains(p.DistinguishedName)

    do

    p.DistinguishedName.Contains(types[0]) || p.DistinguishedName.Contains(types[1]) 

    because DistinguishedName is usually a string like

    CN=jeff,OU=BranchA,DC=domain,DC=com

    and types.Contains("CN=jeff,OU=BranchA,DC=domain,DC=com") will always return nothing.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 9, 2014 4:07 AM

All replies

  • User1508394307 posted

    You can try to get accounts, e.g. only where email address is set

    //using (var searcher = new PrincipalSearcher(new UserPrincipal(context)))
    //{
        UserPrincipal up = new UserPrincipal(context);
    
        up.EmailAddress = "*";
        searcher.QueryFilter = up;
    
        PrincipalSearcher searcher = new PrincipalSearcher();
        searcher.QueryFilter = up;
     
        var results = searcher.FindAll(); 
    Wednesday, January 8, 2014 12:07 PM
  • User-540818677 posted

    You can try to get accounts, e.g. only where email address is set

    but i can not gurantee that service accounts do not have emails. why could not i search the distinguised names,  as i am doing in my code types.Contains(p.DistinguishedName)

    Wednesday, January 8, 2014 12:17 PM
  • User753101303 posted

    Hi,

    This is because Types.Contains check if the p.DistinguishedName is either BranchA or BranchB which never happens (seems a confusion between String.Contains and Array.Contains while you want to see for each string in your array if the p.distinguishedName contains this string).

    Else you should be able able to directly searching those branches  (rather than getting all users and excluding some of them). See http://stackoverflow.com/questions/14205737/unable-to-find-user-after-specifying-a-container-for-principalcontext

     

    Wednesday, January 8, 2014 12:27 PM
  • User1508394307 posted

    but i can not gurantee that service accounts do not have emails. why could not i search the distinguised names, as i am doing in my code

    In your code you receive all accounts and then trying to filter them out. If you know that SamAccountName should have some key, then it is better to setup QueryFilter and return only required accounts.

    UserPrincipal up = new UserPrincipal(context);
    
    up.EmailAddress = "*";
    up.SamAccountName = term + "*";
    
    PrincipalSearcher searcher = new PrincipalSearcher();
    searcher.QueryFilter = up;
    var results = searcher.FindAll();

    http://msdn.microsoft.com/en-us/library/bb384378(v=vs.90).aspx

    Also, if you need to search within specific OU or DC, you can specify it e.g. as

    PrincipalContext context = new PrincipalContext(ContextType.Domain, ADServerName, "OU=BranchA,DC=domain,DC=com", "username", "password");
    Wednesday, January 8, 2014 2:09 PM
  • User-540818677 posted

    Also, if you need to search within specific OU or DC, you can specify it e.g. as

    thanks for the reply, but how i can mentione to include OU=BranchA OR OU=BranchB , in the PrincipalContext(ContextType.Domain, ADServerName, "OU=BranchA,DC=domain,DC=com", "username", "password"); ?

    Thanks

    Wednesday, January 8, 2014 3:42 PM
  • User1508394307 posted

    If BranchA is parent for BranchB then you can call "OU=BranchA,OU=BranchB,DC=domain,DC=com". If it is not the case, then you cannot combine them in the connection string, and need to call separately 

    "OU=BranchA,OU=BranchB,DC=domain,DC=com" 
    "OU=BranchB,OU=BranchB,DC=domain,DC=com"

    This still might be faster instead of calling all users and then checking their OU as per your original code.

    If you don't like it, just use my last example and check OU, but instead of

    types.Contains(p.DistinguishedName)

    do

    p.DistinguishedName.Contains(types[0]) || p.DistinguishedName.Contains(types[1]) 

    because DistinguishedName is usually a string like

    CN=jeff,OU=BranchA,DC=domain,DC=com

    and types.Contains("CN=jeff,OU=BranchA,DC=domain,DC=com") will always return nothing.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 9, 2014 4:07 AM