I'm messing up with getting a full and usable list of all recursive groups to populate up a dropdownlist control to select a group to administer right within a ASP.net page.
The used Code:
List<string> groups = new List<string>();
using (DirectorySearcher searcher = new DirectorySearcher(dEntry))
{
searcher.Filter = "(objectCategory=group)";
foreach (SearchResult result in searcher.FindAll())
{
string group = result.Path.Substring(result.Path.IndexOf("/CN=")+4);
string formatedResult = group.Substring(0, group.IndexOf(",CN="));
groups.Results.Add(formatedResult);
}
}
The result list is long, containing a bunch of system-groups, which are not needed.
Only specific system-groups should be included in the groups list, like "Administrators" and all "non-system-defined" or "system-related" groups. (Like: Departments, Applicationgroups, etc. defined in the AD-Structure).
Any hint how to do that with DirectoryEntry?
If the 0x1 flag is present in groupType attribute, the group is created by the system.
Can modify the filter to search for:
system groups:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=1))
non-system groups:
(&(objectCategory=group)(!(groupType:1.2.840.113556.1.4.803:=1)))
I've used the example in the link below with success. I've used it to search usernames in our AD, but it can ofcourse be modified.
AccessingtheActiveDirectoryfromMicrosoftNET
Related
I am experimenting with c# and ADDS a little bit however I am trying to remove a single user from all groups with the exception of the group Domain Users.
I know how to remove the user from a single pre-determined group using
DirectoryEntry grprem = new DirectoryEntry(groupdn);
grprem.invoke("remove", new object[] { userdn });
grprem.commitchanges();
grprem.close();
And a single user from all groups using :
user.Properties["memberof"].clear();
(Getting error with this one, I think this is due to having to leave a single primary group hence the question)
But how do I leave a single group "domain users" and remove all the others?
memberOf is a special attribute computed by the directory (ie. after a new user's DN is added in a group object with the member attribute, the user's memberOf attribute values are recomputed) : so you can't add/remove/update values in it. Thus, with your existing code, the simpliest way to achieve what you need is to loop on all your user's groups and to remove your user's DN from each of this group (excepted the reserved one):
DirectoryEntry currentGroup = null;
if (user.Properties["memberOf"].Count > 0) {
foreach (string groupDn in user.Properties["memberOf"]) {
if (!groupDn.Equals("yourDomainUsersGroup", StringComparison.OrdinalIgnoreCase)) {
currentGroup = new DirectoryEntry(groupDn);
// I can't test right now, but perhaps you may not be allowed to remove a group member while looping on the memberOf attribute values
// So you would have to use a temp list to store the groups DN and after that to do a new loop on the list and then really remove the group member
currentGroup.Invoke("remove", new object[] { "yourUserDn" });
currentGroup.CommitChanges();
currentGroup.Close();
}
}
I currently have the following code which successfully gets all Security Groups from AD and adds them into a Check List box:
try
{
Logging.LogMessageToFile("Reading Security Groups from AD.");
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
GroupPrincipal qbeGroup = new GroupPrincipal(ctx);
PrincipalSearcher srch = new PrincipalSearcher(qbeGroup);
foreach (var found in srch.FindAll())
{
lstAdGroups.Items.Clear();
lstAdGroups.Items.Add(found);
}
}
catch (Exception ex)
{
Logging.LogMessageToFile("Unexpected error reading Security Groups from AD: " + ex.Message);
}
My issue is that it currently pulls every Security Group (where ideally I'd only like to only list custom created security groups (eg, exclude any from the Users or Builtin OU's). I can't see if there are any properties against groups to filter 'custom' from out the box. Is this even possible?
PrincipalSearcher can only filter based on attributes that are exposed in properties of the various Principal classes. If you're looking for groups, you're limited to filtering based on the properties of the GroupPrincipal class.
That issues aside, filtering out objects in certain OUs isn't something you can do in a query at all simply because there is no AD attribute that contains the OU that you're allowed to filter on. So there is two ways you can do this:
Do what you're already doing, but in your loop, look at the DistinguishedName property of the result. If it's in an OU you don't like, then just continue;.
You can use DirectorySearcher directly (which is what PrincipalSearcher uses in the background anyway), and filter by the isCriticalSystemObject attribute. That will filter out built-in objects like the Domain Admins and Users groups, etc.
Here is a simple example using DirectorySearcher that just outputs the name of each group:
var searcher = new DirectorySearcher("(&(objectClass=group)(!isCriticalSystemObject=TRUE))");
using (var results = searcher.FindAll()) {
foreach (SearchResult result in results) {
Console.WriteLine(result.Properties["cn"][0]);
}
}
I am trying to search on multiple fields in Umbraco and order the results by two factors:
Is it a specific type, yes place it on top
Order it by stock
I am using Umbraco 4.9.1.
var Searcher = ExamineManager.Instance.SearchProviderCollection["MySearcher"];
var searchCriteria = Searcher.CreateSearchCriteria();
var results = Searcher.Search(searchCriteria.OrderByDescending("IsAccesoires", "stock").Compile().RawQuery(search));
If I only search on IsAccesoires it works; if I search on both (IsAccesoires and stock") stock ignores the IsAccesoires.
We got a special multivalue attribute. Let's call it ourOwnManagedBy which can contain users or groups (their DN) that manages the current group.
How can I retrieve a list of all groups that a specific user manages (with the help of managedBy and ourOwnManagedBy)?
For instance. Let's say that the user is member of the group GlobalAdministrators and that the group ApplicationAdministrators has GlobalAdministrations as a member. And finally the group MyApplication which has ApplicationAdministrators in the ourOwnManagedBy attribute.
User is member of GlobalAdministrators
GlobalAdministrators is member of ApplicationAdministrators
MyApplication got ApplicationAdministrators in ourOwnManagedBy
How do I use that information to find all groups that a specific user manages? Is it possible to do some kind of recursive check in custom attributes (that contains DNs of users and groups)?
Update
I've tried to use a directory search filter like this:
string.Format("(ourOwnManagedBy:1.2.840.113556.1.4.1941:={0})", dn);
but I might have missunderstood what 1.2.840.113556.1.4.1941 does? (MSDN page)
This is, I'm afraid, not possible to accomplish with only one LDAP query. You will have to split it into subqueries and run the each separately, which in turn will choke the domain controller if there's a lot to iterate over.
I tried to do it the way I described, and the performance was horrible, at least doing it using the available modules for .NET.
The following page says 3.1.1.3.4.4 LDAP Matching Rules (extensibleMatch) says that the LDAP_MATCHING_RULE_TRANSITIVE_EVAL that you are using does work in Windows 2008 and higher editions. If you are using 2003, it may not work.
No recursion, no idea on how it will do performance wise, may have bugs.
string user = "username";
//get domain
DirectoryEntry de = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().GetDirectoryEntry();
//get users dn first
string userDN;
using (var searcher = new DirectorySearcher(de))
{
searcher.Filter = String.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0}))", user);
searcher.PropertiesToLoad.Add("distinguishedName");
userDN = searcher.FindOne().Properties["distinguishedName"][0].ToString();
}
//get list of all users groups
List<string> groups;
//see http://stackoverflow.com/questions/6252819/find-recursive-group-membership-active-directory-using-c-sharp
using (var searcher2 = new DirectorySearcher(de))
{
searcher2.Filter = String.Format("(member:1.2.840.113556.1.4.1941:={0})", userDN);
searcher2.SearchScope = SearchScope.Subtree;
searcher2.PropertiesToLoad.Add("distinguishedName");
SearchResultCollection src = searcher2.FindAll();
groups = (from SearchResult c in src
select c.Properties["distinguishedName"][0].ToString()).ToList();
}
//build giant search query
SearchResultCollection srcGroups;
using (var searcher = new DirectorySearcher(de))
{
string baseString = "(|{0})";
string managedbybase = "(managedBy={0})";
//I've read that you can search multivalued lists using a standard ='s.
string ourOwnManagedByBase = "(ourOwnManagedBy={0})";
StringBuilder sb = new StringBuilder();
//add user DN to list of group dn's
groups.Add(userDN);
foreach (string g in groups)
{
sb.AppendFormat(managedbybase, g);
sb.AppendFormat(ourOwnManagedByBase, g);
}
searcher.Filter = string.Format(baseString, sb.ToString());
srcGroups = searcher.FindAll();
}
I'll be honest and say that this doesn't actually work for me :) But I think it's because of the way our domain is configured. If nothing else maybe it will push you in the right direciton.
I created a WCF web service to return user and group information from Active Directory. It works for most groups and users.
I use directoryEntry.Invoke("groups",null) to return the groups a specified user is member of. This returns MOST groups. The odd thing is I can find any group and enumerate its members, even if it is one of the groups missing when I use the invoke query on one of its members.
Most of the groups that exhibit this behavior are Exchange-enabled. Most of the problematic user accounts are for users in a federated domain, who use an Exchange server in the domain that I query. I am not trying to query objects in the federated domain.
My theories so far:
some security restriction does not allow enumerating all groups via invoke() even though I can query missing groups and enumerate their members.
invoke has issues with some subset of groups. Perhaps universal, dynamic, or Exchange-enabled properties are at play
the invoke method does not pick up all groups because the "federated" accounts (created as part of their Exchange account setup) are somehow different than regular domain accounts beyond the sid mapping back to their login domain.
There are two known issues with using the "Groups" property on a DirectoryEntry:
it will not show you the "Default group" a user is in (typically "Users")
it will not show you nested group memberships
So if a user is member of a group A, and that group then in turn is member of Group B, then in Windows, this means that the user is also member of Group B. However, the DirectoryEntry will not show you that nested group membership.
Those are the two only restrictions I know of for straight Active Directory (without Exchange).
Getting the default group is a bit involved, but I do have a code sample for that.
private string GetPrimaryGroup(DirectoryEntry aEntry, DirectoryEntry aDomainEntry)
{
int primaryGroupID = (int)aEntry.Properties["primaryGroupID"].Value;
byte[] objectSid = (byte[])aEntry.Properties["objectSid"].Value;
StringBuilder escapedGroupSid = new StringBuilder();
// Copy over everything but the last four bytes(sub-authority)
// Doing so gives us the RID of the domain
for(uint i = 0; i < objectSid.Length - 4; i++)
{
escapedGroupSid.AppendFormat("\\{0:x2}", objectSid[i]);
}
//Add the primaryGroupID to the escape string to build the SID of the primaryGroup
for(uint i = 0; i < 4; i++)
{
escapedGroupSid.AppendFormat("\\{0:x2}", (primaryGroupID & 0xFF));
primaryGroupID >>= 8;
}
//Search the directory for a group with this SID
DirectorySearcher searcher = new DirectorySearcher();
if(aDomainEntry != null)
{
searcher.SearchRoot = aDomainEntry;
}
searcher.Filter = "(&(objectCategory=Group)(objectSID=" + escapedGroupSid.ToString() + "))";
searcher.PropertiesToLoad.Add("distinguishedName");
return searcher.FindOne().Properties["distinguishedName"][0].ToString();
}
Getting the nested groups also takes a few steps and I'll have to hunt for a solution to that one, if that's the problem.
Marc
PS: as a side note - why on earth are you doing a "DirectoryEntry.Invoke("groups", null)" call? Why don't you just enumerate the DirectoryEntry.Properties["memberOf"] property which is multi-valued (contains multiple values) and has the group's DN (distinguished name) in it?
foreach(string groupDN in myUser.Properties["memberOf"])
{
string groupName = groupDN;
}
OR if you're on .NET 3.5, you can make use of the new Security Principal classes in S.DS.AccountManagement. One of them is a "UserPrincipal", which has a method called "GetAuthorizationGroups()" which does all this hard work for you - for free, basically!
See an excellent MSDN article that describes these new .NET 3.5 S.DS features for you.
I think marc_s is correct. If you want all groups, you can use the following snippet:
using (DirectoryEntry obj = new DirectoryEntry("LDAP://" + dn))
{
obj.RefreshCache(new string[] { "tokenGroups" });
string[] sids = new string[obj.Properties["tokenGroups"].Count];
int i = 0;
foreach (byte[] bytes in obj.Properties["tokenGroups"])
{
sids[i] = _ConvertSidToString(bytes);
++i;
}
obj.Close();
return sids;
}
Note that calculating nested groups is an expensive operation, so RefreshCache might take a long time to complete.
On Freund,
I am trying to make use of your code and not getting very far. I have updated the directory entry path to be "LDAP://DC=myDomain,DC=co,DC=uk" but I am not getting any results (obj.Properties["tokenGroups"].Count = 0)
I don't udnerstand how the user to list group for is specified.
Could you please point me in the right direction?
Thanks
EDIT:
I got it sorted in the end. The directory entry to get the token groups from should be a user entry... if that makes sense...
I've included some code in case anyone else has the same query:
Dim directoryEntry As DirectoryEntry = _
New DirectoryEntry("LDAP://CN=users,DC=domanName,DC=com")
Dim directorySearcher As DirectorySearcher = _
New DirectorySearcher(directoryEntry, "(sAMAccountName=" & UserName & ")")
Dim searchResult As SearchResult = directorySearcher.FindOne()
If Not searchResult Is Nothing Then
Dim userDirectoryEntry As DirectoryEntry = searchResult.GetDirectoryEntry
userDirectoryEntry.RefreshCache(New String() {"tokenGroups"})
... etc ...
End If