Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / General / March 2008

Tip: Looking for answers? Try searching our database.

Properly using directorysearcher to find a user in an AD Group

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Jim in Arizona - 13 Mar 2008 18:57 GMT
I'm trying to do a check to see if a specific active directory user account
exists in active directory AND a specific group. I can't seem to get the
filter down right.

I can do this to find a matching name in active directory:

================================================
Dim oroot As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.local")
Dim osearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim oresult As SearchResultCollection
Dim result As SearchResult

osearcher.Filter = "(&(sAMAccountName=jsmith))"
oresult = osearcher.FindAll

For Each result In oresult
If Not result.GetDirectoryEntry.Properties("SAMAccountName").Value Is
Nothing Then
 Response.Write(result.GetDirectoryEntry.Properties("SAMAccountName").Value
& "<br />")
End If
Next

'This results in "jsmith' being printed to the screen (if jsmith exists in
active directory)
================================================

I can do this to find a specific group name:

================================================
Dim oroot As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.local")
Dim osearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim oresult As SearchResultCollection
Dim result As SearchResult

osearcher.Filter = "(&(objectCategory=Group)(sAMAccountName=Domain Admins))"
oresult = osearcher.FindAll

For Each result In oresult
If Not result.GetDirectoryEntry.Properties("SAMAccountName").Value Is
Nothing Then
 Response.Write(result.GetDirectoryEntry.Properties("SAMAccountName").Value
& "<br />")
End If
Next

'This results in "Domain Admins' being printed to the screen
================================================

I can even change the osearcher.filter to just (sAMAccountName=Domain
Admins) and get the same result.

I'm trying to figure out how I can return the result (say, the user name
(samaccountname)) if the search paramater is both in AD and in the specific
group (or just the specific group).

My goal is to do a check like this (pseudocode):

================================================
Dim strUser as string = Request.ServerVariables("AUTH_USER")

Dim strADUser =  osearcher.Filter = "(&(sAMAccountName=" & strUser & "))"

If strUser = strADUser Then
  Page.Redirect(ToSomePage)
Else
  Page.Redirect(ToFailedPage)
End If
================================================

I Also need to check to see if they're in a specific group. I don't know how
I'd go about that. If, for instance, they're in the Sales group in AD, then
I could redirect them to the appropriate page. I could also, of course, keep
them out of other pages if they don't belong.

TIA,
Jim
Reply to this Message
Alexey Smirnov - 13 Mar 2008 19:28 GMT
> I'm trying to do a check to see if a specific active directory user account
> exists in active directory AND a specific group. I can't seem to get the
[quoted text clipped - 73 lines]
> TIA,
> Jim

Domain Admins is an object with distinguishedName (a key to identify
this object). For example, it can look like this

"CN=Domain Admins,OU=Domain Groups,DC=corp,DC=com"

As you can see, it defines the path to the root

corp.com
---- Domain Groups
---------- Domain Admins

So, to find the user you should call the following filter

(&(sAMAccountName=jsmith)(memberOf=CN=Domain Admins,OU=Domain
Groups,DC=corp,DC=com))
Reply to this Message
Jim in Arizona - 13 Mar 2008 20:18 GMT
Domain Admins is an object with distinguishedName (a key to identify
this object). For example, it can look like this

"CN=Domain Admins,OU=Domain Groups,DC=corp,DC=com"

As you can see, it defines the path to the root

corp.com
---- Domain Groups
---------- Domain Admins

So, to find the user you should call the following filter

(&(sAMAccountName=jsmith)(memberOf=CN=Domain Admins,OU=Domain
Groups,DC=corp,DC=com))

--------------------------------------------------------------------------------

Thanks for responding, Alexey.

So far, whatever it is i'm trying, it isn't bring anything up other than a
blank page.

Assuming our domain name is corp.mydomain.net I've tried these different
approaches:

osearcher.Filter = "(&(sAMAccountName=jsmith)(memberOf=CN=Domain
Admins,OU=Domain Groups,DC=corp, DC=mydomain, DC=net))"
jsmith is a member of Domain Admins in the case above. This returns a blank
page.

osearcher.Filter = "(&(sAMAccountName=jsmith)(memberOf=CN=Domain
Admins,OU=Users,DC=corp, DC=mydomain, DC=net))"
I tried the OU being Users here because the Domain Admins group is actually
in the builtin OU called Users. Still a blank page.

osearcher.Filter =
"(&(sAMAccountName=jdoe)(memberOf=CN=Users,OU=Users,DC=corp, DC=mydomain,
DC=net))"
Jane Doe (jdoe) is in the Users OU, which is the default OU installed with
AD. Again, just returns a blank page.

osearcher.Filter = "(&(sAMAccountName=jdoe)(memberOf=CN=Users))"
This doesn't work either but no errors are returned, just a blank page.

I'm hoping that if any of the searches were successful, they're username
(sAMAccountName) would show up on the screen.

I'm not sure what to do to fix this. What am I doing wrong?

Thansk Again,
Jim
Reply to this Message
Alexey Smirnov - 16 Mar 2008 11:13 GMT
> I'm hoping that if any of the searches were successful, they're username
> (sAMAccountName) would show up on the screen.
>
> I'm not sure what to do to fix this. What am I doing wrong?

Jim, that's definitely because of the wrong memberOf value. I'm not
sure how your application is supposed to work but you can do
following:

1) Download and install LDAP browser (for example, like the one I'm
using from http://www.ldapbrowser.com/download.htm). Connect to your
domain and check what memberOf you have in reality

2) Find group's distinguishedName dynamically using a new
DirectorySearcher.

The search filter for finding group you already know:

"(&(objectCategory=group)(sAMAccountName=" + groupName + "))"

where the group name is the name of the group you wanted to check
(e.g. "Domain Admins")

[pseudocode:]

Dim gsearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim gresult As SearchResultCollection
Dim result As SearchResult

gsearcher.Filter = "(&(objectCategory=group)(sAMAccountName=" +
groupName + "))"
gresult = gsearcher.FindAll

Dim dn As String

dn = gResult(0).Properties("distinguishedname")(0).ToString

After that you can use this dn as a value for the final search

"(&(sAMAccountName=" & username & ")(memberOf=" & dn & "))"
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.