I'm using the System.DirectoryServices.AccountManagement namespace classes to manage the membership of several groups. These groups control the population of our print accounting system and some of them are very large. I'm running into a problem removing any user from one of these large groups. I have a test program that illustrates the problem. Note that the group I'm testing is not nested, but user.IsMemberOf() also seems to have the same problem, whereas GetAuthorizationGroups() correctly shows the groups a user is a member of. The group in question has about 81K members, which is more than it should have since Remove() isn't working, and will normally be about 65K or so.
I'd be interested to hear from other people who have had this problem and have resolved it. I've got an open case with Microsoft, but the turn around on the call is slow since the call center is about 17 hours time difference so they don't arrive for work until about an hour before I usually leave for home.
using (var context = new PrincipalContext( ContextType.Domain ))
{
using (var group = GroupPrincipal.FindByIdentity( context, groupName ))
{
using (var user = UserPrincipal.FindByIdentity( context, userName ))
{
if (user != null)
{
var isMember = user.GetAuthorizationGroups()
.Any( g => g.DistinguishedName == group.DistinguishedName );
Console.WriteLine( "1: check for membership returns: {0}", isMember );
if (group.Members.Remove( user ))
{
Console.WriteLine( "user removed successfully" );
group.Save();
}
else
{
// do save in case Remove() is lying to me
group.Save();
Console.WriteLine( "user remove failed" );
var isStillMember = user.GetAuthorizationGroups()
.Any( g => g.DistinguishedName == group.DistinguishedName );
Console.WriteLine( "2: check for membership returns: {0}", isStillMember );
}
}
}
}
}
Turns out this is a bug in the GroupPrincipal.Members.Remove() code in which remove fails for a group with more than 1500 members. This has been fixed in .NET 4.0 Beta 2. I don't know if they have plans to back port the fix into 2.0/3.x.
The work around is to get the underlying DirectoryEntry, then use Invoke to execute the Remove command on the IADsGroup object.
var entry = group.GetUnderlyingObject() as DirectoryEntry;
var userEntry = user.GetUnderlyingObject() as DirectoryEntry;
entry.Invoke( "Remove", new object[] { userEntry.Path } );
This post helped point me in the right direction, just wanted to add some addition info.
It also works binding directly to the group, and you can use it for adding group members.
using (var groupEntry = new DirectoryEntry(groupLdapPath))
{
groupEntry.Invoke("remove", new object[] { memberLdapPath });
groupEntry.Invoke("add", new object[] { memberLdapPath });
}
Also be aware, with the standard 'member' attribute, you use the user or group distinguishedName, but invoke requires the path with LDAP:// prefix, otherwise it throws a vague InnerException:
Exception from HRESULT: 0x80005000
public bool RemoveUserFromGroup(string UserName, string GroupName)
{
bool lResult = false;
if (String.IsNullOrEmpty(UserName) || String.IsNullOrEmpty(GroupName)) return lResult;
try
{
using (DirectoryEntry dirEntry = GetDirectoryEntry())
{
using (DirectoryEntry dirUser = GetUser(UserName))
{
if (dirEntry == null || dirUser == null)
{
return lResult;
}
using (DirectorySearcher deSearch = new DirectorySearcher())
{
deSearch.SearchRoot = dirEntry;
deSearch.Filter = String.Format("(&(objectClass=group) (cn={0}))", GroupName);
deSearch.PageSize = 1000;
SearchResultCollection result = deSearch.FindAll();
bool isAlreadyRemoved = false;
String sDN = dirUser.Path.Replace("LDAP://", String.Empty);
if (result != null && result.Count > 0)
{
for (int i = 0; i < result.Count; i++)
{
using (DirectoryEntry dirGroup = result[i].GetDirectoryEntry())
{
String sGrDN = dirGroup.Path.Replace("LDAP://", String.Empty);
if (dirUser.Properties[Constants.Properties.PROP_MEMBER_OF].Contains(sGrDN))
{
dirGroup.Properties[Constants.Properties.PROP_MEMBER].Remove(sDN);
dirGroup.CommitChanges();
dirGroup.Close();
lResult = true;
isAlreadyRemoved = true;
break;
}
}
if (isAlreadyRemoved)
break;
}
}
}
}
}
}
catch
{
lResult= false;
}
return lResult;
}
Related
I'm trying to get group list while authenticating user. And still getting 0 results. I unfortunately have no environment for testing, so I cannot debug this code (only via logger). Have no results and no exceptions.
private LdapResponce IsAuthenticated(string ldap, string usr, string pwd, out List<string> groups)
{
List<string> result = new List<string>();
try
{
using (var searcher = new DirectorySearcher(new DirectoryEntry(ldap, usr, pwd)))
{
searcher.Filter = String.Format("(&(objectCategory=group)(member={0}))", usr);
searcher.SearchScope = SearchScope.Subtree;
searcher.PropertiesToLoad.Add("cn");
_loggingService.Info(searcher.FindAll().Count.ToString());// here i'm getting 0
foreach (SearchResult entry in searcher.FindAll())
{
try
{
if (entry.Properties.Contains("cn"))
result.Add(entry.Properties["cn"][0].ToString());
}
catch (NoMatchingPrincipalException pex)
{
continue;
}
catch (Exception pex)
{
continue;
}
}
}
groups = result;
}
catch (DirectoryServicesCOMException cex)
{
groups = new List<string>();
if (cex.ErrorCode == -2147023570) return LdapResponce.WrongPassword;
return LdapResponce.Error;
}
catch (Exception ex)
{
groups = new List<string>();
return LdapResponce.Error;
}
return LdapResponce.Passed;
}
Add this to the top of your program
using System.DirectoryServices.AccountManagement;
Use this function and pass the username and the group you are looking to see if they are in. if the group has a group nested it will look in the nested group to see if the user is in that group too.
public static Boolean fctADIsInGroup(string LSUserName, string LSGroupName)
{
Boolean LBReturn = false;
// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "Put your domain name here. Right click on My computer and go to properties to see the domain name");
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, LSUserName);
// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, LSGroupName);
if (user != null)
{
// check if user is member of that group
if (user.IsMemberOf(group))
{
LBReturn = true;
}
else
{
var LSAllMembers = group.GetMembers(true);
foreach(var LSName in LSAllMembers)
{
string LSGPUserName = LSName.SamAccountName.ToUpper();
if (LSGPUserName == PSUserName.ToUpper())
{
LBReturn = true;
}
}
}
}
return LBReturn;
}
I want to get the Groups of a User from the Active Directory by an User Principal. For this task, I wrote the following static function:
internal static List<ADGroup> GetGroupsByIdentity(UserPrincipal pUserPrincipal)
{
var lResult = new List<ADGroup>();
if (pUserPrincipal != null)
{
PrincipalSearchResult<Principal> lGroups = pUserPrincipal.GetAuthorizationGroups();
// iterate over all groups
foreach (Principal p in lGroups)
{
// make sure to add only group principals
if (p is GroupPrincipal)
{
var lGroupName = "";
var lGroupSid = "";
try
{
lGroupName = p.Name;
lGroupSid = p.Sid.Value;
if (!string.IsNullOrEmpty(lGroupName) && !string.IsNullOrEmpty(lGroupSid) &&
!lResult.Any(x => x.Sid == lGroupSid))
{
lResult.Add(new ADGroup(p));
}
}
catch (Exception e)
{
if (e is PrincipalOperationException || e is NoMatchingPrincipalException)
{
// perhaps the SID could not be resolved
// perhaps the SID does not exist in the AD any more
// ignore and proceed with next
p.Dispose();
continue;
}
else
{
throw;
}
}
finally
{
p.Dispose();
}
}
p.Dispose();
}
}
return lResult;
}
When the user executes this code, he gets an Exception. Here is a part of the stack:
System.DirectoryServices.AccountManagement.NoMatchingPrincipalException:
An error occurred while enumerating the groups. The group could not be found.
at System.DirectoryServices.AccountManagement.AuthZSet.get_CurrentAsPrincipal()
at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.get_Current()
at xxx.xxxxxxxxx.Mvc.CustomSetup.ADHandler.GetGroupsByIdentity(UserPrincipal pUserPrincipal) // the function above
at ...
Where is the problem and how can I solve it?
It seems like the method GetAuthorizationGroups() have a few limitations. This is an old Exception that have existed since 2009. And Microsoft won't fix it because "there is a reasonable workaround". https://connect.microsoft.com/VisualStudio/feedback/details/522539/clr-forum-error-calling-principal-getauthorizationgroups-in-winxp-sp3
I got this error when using Principal.IsMemberOf(). I searched if a user existed in a custom list of groups. If a group didn't exist in the Domain, it threw this
System.DirectryServices.AccountManagement.NoMatchingPrincipalException
https://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.nomatchingprincipalexception(v=vs.110).aspx
Error example 1 using .IsMemberOf()
List<string> groups = Constants.ADGroups(); // List of AD groups to test against
var context = new PrincipalContext(
ContextType.Domain,
"Domain");
var userPrincipal = UserPrincipal.FindByIdentity(
context,
IdentityType.SamAccountName,
httpContext.User.Identity.Name);
// Verify that the user is in the given AD group (if any)
foreach (var group in groups)
if (userPrincipal.IsMemberOf(context, IdentityType.Name, group))
return true;
Error example 2 using .GetAuthorizationGroups():
var context = new PrincipalContext(ContextType.Domain,"Domain");
var userPrincipal = UserPrincipal.FindByIdentity(
context,
IdentityType.SamAccountName,
httpContext.User.Identity.Name);
if (userPrincipal != null)
{
var principalGroups = userPrincipal.GetAuthorizationGroups();
foreach (var principalGroup in principalGroups)
{
foreach (var group in groups)
{
if (String.Equals(
principalGroup.Name,
group,
StringComparison.CurrentCultureIgnoreCase))
{
return true;
}
}
}
}
Solution 1: Proposed workaround is to iterate over AD Groups:
GetAuthorizationGroups() is throwing exception
PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();
var iterGroup = groups.GetEnumerator();
using (iterGroup)
{
while (iterGroup.MoveNext())
{
try
{
Principal p = iterGroup.Current;
Console.WriteLine(p.Name);
}
catch (NoMatchingPrincipalException pex)
{
continue;
}
}
}
Solution 2: What I instead ended up using (MVC app using Windows Authentication):
This is a lighter way to check auth, iterating over a large company's AD can be slow...
var wi = HttpContext.Current.User.Identity as WindowsIdentity;
if (wi != null)
{
var wp = new WindowsPrincipal(wi);
List<string> groups = Constants.ADGroups(); // List of AD groups to test against
foreach (var #group in groups)
{
Debug.WriteLine($"Searching for {#group}");
if (wp.IsInRole(#group))
{
return true;
}
}
}
Here is my code
public static string UpdateEmptyCaseRevierSet() {
string response = string.Empty;
using (System.Transactions.TransactionScope tran = new System.Transactions.TransactionScope()) {
using (var db = new Entities.WaveEntities()) {
var maxCaseReviewersSetID = db.CaseReviewerSets.Select(crs => crs.CaseReviewersSetId).Max();
var emptyCHList = db.CaseHistories.Where(ch => ch.CaseReviewersSetID == null && ch.IsLatest == true && ch.StatusID != 100).ToList();
for(int i=0; i < emptyCHList.Count; i++) {
var emptyCH = emptyCHList[i];
var newCaseReviewerSET = new Entities.CaseReviewerSet();
newCaseReviewerSET.CreationCHID = emptyCH.CHID;
db.CaseReviewerSets.Add(newCaseReviewerSET);
emptyCH.CaseReviewerSet = newCaseReviewerSET;
}
db.SaveChanges();
}
tran.Complete();
}
return response;
}
The exception occures on "db.SaveChanges()"
I saw in another post with the same error message something about "it seems I cannot have two connections opened to the same database with the TransactionScope block." but I dont think that this has anything to do with my case.
Additionally the number of records to insert and update in total are 2700, witch is not that many really. But it does take quite a lot of time to complete the for statement (10 minutes or so). Since everything happening within the for statement is actually happening in the memory can someone please explane why is this taking so long ?
You can try as shown below using latest db.Database.BeginTransaction API.
Note : use foreach instead of for
using (var db = new Entities.WaveEntities())
{
using (var dbContextTransaction = db.Database.BeginTransaction())
{
try
{
var maxCaseReviewersSetID = db.CaseReviewerSets.Select(crs => crs.CaseReviewersSetId).Max();
var emptyCHList = db.CaseHistories.Where(ch => ch.CaseReviewersSetID == null && ch.IsLatest == true && ch.StatusID != 100).ToList();
foreach(var ch in emptyCHList) {
var newCaseReviewerSET = new Entities.CaseReviewerSet();
newCaseReviewerSET.CreationCHID = ch.CHID;
db.CaseReviewerSets.Add(newCaseReviewerSET);
}
db.SaveChanges();
dbContextTransaction.Commit();
}
catch (Exception)
{
dbContextTransaction.Rollback();
}
}
}
So here is the code using S.DS.P to get all users very quickly in pages of 500 at a time..
public List<AllAdStudentsCV> GetUsersDistinguishedNamePagedResults( string domain, string distinguishedName )
{
try
{
NetworkCredential credentials = new NetworkCredential( ConfigurationManager.AppSettings["AD_User"], ConfigurationManager.AppSettings["AD_Pass"] );
LdapDirectoryIdentifier directoryIdentifier = new LdapDirectoryIdentifier( domain + ":389" );
List<AllAdStudentsCV> users = new List<AllAdStudentsCV>();
using (LdapConnection connection = new LdapConnection(directoryIdentifier, credentials))
{
string filter = "(&(objectClass=user)(objectCategory=person))";
string baseDN = ConfigurationManager.AppSettings["AD_DistinguishedName"];
string[] attribArray = {"name", "sAMAccountName", "objectGUID", "telexNumber", "HomePhone"};
List<SearchResultEntry> srList = PerformPagedSearch(connection, baseDN, filter, attribArray);
if (srList.Count == 0) return null;
foreach (SearchResultEntry entry in srList)
{
<...snip a bunch of code to filter out bad users by CN...>
users.Add( user );
}
catch ( Exception ex )
{
throw;
}
}
}
}
return users;
}
catch ( Exception ex )
{
throw;
}
}
private List<SearchResultEntry> PerformPagedSearch( LdapConnection connection, string baseDN, string filter, string[] attribs )
{
List<SearchResultEntry> results = new List<SearchResultEntry>();
SearchRequest request = new SearchRequest(
baseDN,
filter,
System.DirectoryServices.Protocols.SearchScope.Subtree,
attribs
);
PageResultRequestControl prc = new PageResultRequestControl(500);
//add the paging control
request.Controls.Add(prc);
int pages = 0;
while (true)
{
pages++;
SearchResponse response = connection.SendRequest(request) as SearchResponse;
//find the returned page response control
foreach (DirectoryControl control in response.Controls)
{
if (control is PageResultResponseControl)
{
//update the cookie for next set
prc.Cookie = ((PageResultResponseControl) control).Cookie;
break;
}
}
//add them to our collection
foreach (SearchResultEntry sre in response.Entries)
{
results.Add(sre);
}
//our exit condition is when our cookie is empty
if ( prc.Cookie.Length == 0 )
{
Trace.WriteLine( "Warning GetAllAdSdsp exiting in paged search wtih cookie = zero and page count =" + pages + " and user count = " + results.Count );
break;
}
}
return results;
}
It works perfectly on DEV and on Prod, but suddenly stopped working on the QA webserver when it talks to the QA AD server. it only returnes one page and then stops.
If I point DEV to the QA AD server it works correctly...
It was working before Feb 2012, last time I tested in QA, and definitely was broken in place by March 7, 2012
Can anyone think of anything that would cause this behavior? perhaps a windows update? I've had one jack this product up before...
I'm reasonably convinced that it's not the code or the configuration...as it works on so many other combinations... it's netowrk/securiyt/os related.. but I can't figure out what changed.
Any Help is appreicated
Had the exact same issue where no pages were returned after the first one.
Here is what I found to fix the problem:
PageResultRequestControl pageRequestControl = new PageResultRequestControl(500);
SearchOptionsControl soc = new SearchOptionsControl(System.DirectoryServices.Protocols.SearchOption.DomainScope);
request.Controls.Add(pageRequestControl);
request.Controls.Add(soc);
No idea what the SearchOptionsControl does, but since I added this, AD returns all the expected objects.
This line solves the issue (connection is LdapConnection) ->
connection.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
https://social.msdn.microsoft.com/Forums/vstudio/en-US/17957bb2-15b4-4d44-80fa-9b27eb6cb61f/pageresultrequestcontrol-cookie-always-zero?forum=csharpgeneral
I spend more than a day to find out that the Principal object is using way more bandwidth than the using the DirectoryServices. The scenario is like this. I have a group with ~3000 computer objects in it. To check if a computer is in this group I retrieved the GroupPrincipal and searched for the ComputerPrincipal.
Boolean _retVal = false;
PrincipalContext _principalContext = null;
using (_principalContext = new PrincipalContext(ContextType.Domain, domainController, srv_user, srv_password)) {
ComputerPrincipal _computer = ComputerPrincipal.FindByIdentity(_principalContext, accountName);
GroupPrincipal _grp = GroupPrincipal.FindByIdentity(_principalContext, groupName);
if (_computer != null && _grp != null) {
// get the members
PrincipalSearchResult<Principal> _allGrps = _grp.GetMembers(false);
if (_allGrps.Contains(_computer)) {
_retVal = true;
}
else {
_retVal = false;
}
}
}
return _retVal;
Actually very nice interface but this creates around 12MB traffic per request. If you're domain controller is in the LAN this is no issue. If you access the domain controller using the WAN it kills your connection/application.
After I noticed this I re-implemented the same functionality using DirectoryServices
Boolean _retVal = false;
DirectoryContext _ctx = null;
try {
_ctx = new DirectoryContext(DirectoryContextType.DirectoryServer, domainController, srv_user, srv_password);
} catch (Exception ex) {
// do something useful
}
if (_ctx != null) {
try {
using (DomainController _dc = DomainController.GetDomainController(_ctx)) {
using (DirectorySearcher _search = _dc.GetDirectorySearcher()) {
String _groupToSearchFor = String.Format("CN={0},", groupName);
_search.PropertiesToLoad.Clear();
_search.PropertiesToLoad.Add("memberOf");
_search.Filter = String.Format("(&(objectCategory=computer)(name={0}))", accountName); ;
SearchResult _one = null;
_one = _search.FindOne();
if (_one != null) {
int _count = _one.Properties["memberOf"].Count;
for (int i = 0; i < _count; i++) {
string _m = (_one.Properties["memberOf"][i] as string);
if (_m.Contains(groupName)) { _retVal = true; }
}
}
}
}
} catch (Exception ex) {
// do something useful
}
}
return _retVal;
This implementation will use around 12K of network traffic. Which is maybe not as nice but saves a lot of bandwith.
My questions is now if somebody has an idea what the AccountManagement object is doing that it uses so much bandwith?
THANKS!
I would guess including the following lines will do a lot to save bandwidth:
_search.PropertiesToLoad.Clear();
_search.PropertiesToLoad.Add("memberOf");
_search.Filter = String.Format("(&(objectCategory=computer)(name={0}))", accountName);
The first two are telling the DirectorySearcher to only load a single property instead of who knows how many, of arbitrary size.
The second is passing a filter into the DirectorySearcher, which I guess is probably processed server side, further limiting the size of your result set.