none
System.DirectoryServices and Universal Security Groups RRS feed

  • Question

  • I'm trying to use System.DirectoryServices to retrieve the members of a universal security group in AD.  I've implemented it using System.DirectoryServices.AccountManagement and it works.  It's just very slow.  So in my research, I stumbled upon using attribute scoped queries in S.DS to do the same thing, but faster.  My basic code is this:

    public IEnumerable<IApplicationUser> GetGroupMembers(string groupName)
    {
      string domainName = "mydomain.local";
      string groupPath = $"LDAP://CN={groupName},OU=Security Groups,OU=USA,DC=mydomain,DC=local";
      string filter = "(&(objectClass=user)(objectCategory=person))";
      DirectoryEntry group = new DirectoryEntry(groupPath);
     
      DirectorySearcher searcher = new DirectorySearcher();
      searcher.SearchRoot = group;
      searcher.Filter = filter;
      searcher.PropertiesToLoad.Add("samAccountName");
      searcher.PropertiesToLoad.Add("name");
      searcher.PropertiesToLoad.Add("givenName");
      searcher.PropertiesToLoad.Add("middleName");
      searcher.PropertiesToLoad.Add("sn");
      searcher.PropertiesToLoad.Add("displayName");
      searcher.SearchScope = SearchScope.Base;
      searcher.AttributeScopeQuery = "member";
     
      using (SearchResultCollection result = searcher.FindAll())
      {
        return GetApplicationUsersFromResults(result);
      }
    }
     

    This code works - so long as all of the users in the group are within the same domain (mydomain).  However, if some of the users in the security group are for another domain in the forest, this code generates the following error:

    Unknown error (0x5011)

    Of course, the whole reason for using a universal group is so that users from other sibling domains can be added to the group.  Can anyone tell me how to do this search so that the other domain users can be returned without error?  I haven't found anything that works yet other than using S.DS.AccountManagement, but I'd like this to perform well too.


    JohnnyG

    Thursday, November 12, 2015 2:14 PM

Answers

  • Hi JohnnyG,

    >>However, if some of the users in the security group are for another domain in the forest, this code generates the following error:

    Can anyone tell me how to do this search so that the other domain users can be returned without error?  

    From above message, do you mean you want to query all of the users across multiple domains using C#?

    If yes, Accessing resources across domains, please note that security group.

    Security groups. User rights can be applied to groups in Active Directory while permissions can be assigned to security groups on member servers hosting a resource.

    Please refer to the following article that talking about this

    Querying Groups and Users across multiple domains with LDAP in C# .NET

    If I misunderstood you, please feel free to let me know.

    Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. 

    Microsoft does not control these sites and has not tested any software or information found on these sites;Therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.

    There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Best regards,

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Friday, November 13, 2015 7:36 AM

All replies

  • Hi JohnnyG,

    >>However, if some of the users in the security group are for another domain in the forest, this code generates the following error:

    Can anyone tell me how to do this search so that the other domain users can be returned without error?  

    From above message, do you mean you want to query all of the users across multiple domains using C#?

    If yes, Accessing resources across domains, please note that security group.

    Security groups. User rights can be applied to groups in Active Directory while permissions can be assigned to security groups on member servers hosting a resource.

    Please refer to the following article that talking about this

    Querying Groups and Users across multiple domains with LDAP in C# .NET

    If I misunderstood you, please feel free to let me know.

    Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. 

    Microsoft does not control these sites and has not tested any software or information found on these sites;Therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.

    There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Best regards,

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Friday, November 13, 2015 7:36 AM
  • Hi,

    I have L3 Domain and L2 Domain .

    I have a universal Group named L2UG2 in L2

    I have assigned this to a Local group Engg in L3 Domain.

    I'm not able to fetch the members now from L3 -> Engg ( as they have L2 Universal group ). 

    Can you please let me know what should be my LDAP path in this scenario ? 

     

    Thursday, February 7, 2019 9:32 AM