locked
c# Directory Services Synchronization does not return changed relationships RRS feed

  • Question

  • User-1357711384 posted

    I'm using C# to work with AD (Win 2012R2).
    We are syncing AD users,groups and their relationship to SQL database.
    Full sync works well.
    But when using synchronization cookie, the relationship changes does not detected.
    What may be the reason?
    Thanks.
    Here is my code:

    public void DirSyncChanges(DirectoryEntry de, byte[] cookie)  
        {
            DirectorySynchronization syncData = new DirectorySynchronization(cookie);
            srch = new DirectorySearcher(de)
            {
                Filter = "(&(objectClass=user)(objectCategory=person))",
                SizeLimit = Int32.MaxValue,
                Tombstone = true
            };
            srch.DirectorySynchronization = syncData;
            syncData.Option = DirectorySynchronizationOptions.None;
            using(SearchResultCollection results = srch.FindAll())

            foreach (SearchResult res in results)
            {
                //results is empty. no loop
            }
        }


    Thursday, October 23, 2014 8:23 AM

Answers

  • User-934909271 posted

    Maybe it is because MemberOf is a constructed attribute? I don't think you can actually set the value of it. When you add a user to a group, the "MemberOf" attribute on that user doesn't get changed directly, only the "Member" attribute on the group you added them to gets updated. Then when anyone queries the MemberOf attribute for that user it will look for any groups where the user is listed in the Member attribute and will return a list of those groups.

    So basically you need to monitor the Member attribute on groups instead if you want to detect when a user was added to a new group.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, October 29, 2014 9:46 PM

All replies

  • User1508394307 posted

    If I run your code as is it failed because DirectorySynchronization is not disposable, what .net version do you use?

    Anyway I think there are could be few things to check,

    • try to set SizeLimit to something small, like 10.
    • check if there are no specific rights required (e.g. when I run it under my account with low rights I get a COM exception regarding security)

    If nothing works try to get rid of syncData.Option and srch.DirectorySynchronization. Does it work without DirectorySynchronization?

    Thursday, October 23, 2014 8:58 AM
  • User-1357711384 posted

    Thanks for your answer,I fixed the code.

    I'm using .Net 3.5 .

    • Limiting to 10 did't work
    • I have domain admin credentials
    • In regular sync I get the user and can get his groups

    is it possible that the cookie sync does not support user "Member of" change?

    Thursday, October 23, 2014 9:11 AM
  • User1508394307 posted

    Well, if you mean that the above code works for all changes except memberof then most likely it does not support memberof. 

    Thursday, October 23, 2014 9:35 AM
  • User-934909271 posted

    Maybe it is because MemberOf is a constructed attribute? I don't think you can actually set the value of it. When you add a user to a group, the "MemberOf" attribute on that user doesn't get changed directly, only the "Member" attribute on the group you added them to gets updated. Then when anyone queries the MemberOf attribute for that user it will look for any groups where the user is listed in the Member attribute and will return a list of those groups.

    So basically you need to monitor the Member attribute on groups instead if you want to detect when a user was added to a new group.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, October 29, 2014 9:46 PM