Wednesday, 01 August 2007

Getting Active Directory Group Membership in .NET 3.5

I have previously covered pretty extensively the options for getting a user's group membership in Active Directory or ADAM (soon to be Active Directory LDS (Lightweight Directory Services)) here on the blog, in the forum, and in the book.  However, there is a new option for users of .NET 3.5 that should be of interest.

The Directory Services group at Microsoft has released in beta form a new API for dealing with a lot of the common things we need to do with users, groups, and computers in Active Directory, ADAM, and the local machine.  This API is called System.DirectoryServices.AccountManagement (or SDS.AM).  Here is a simple example of how to get a users groups (including nested, and primary):

static void Main(string[] args)
    PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

    using (ctx)
        Principal p = Principal.FindByIdentity(ctx, "ryandunn");

        using (p)
            var groups = p.GetGroups();
            using (groups)
                foreach (Principal group in groups)
                    Console.WriteLine(group.SamAccountName + "-" + group.DisplayName);


That's not too bad - in fact, it looks worse than it is because I am trying to make sure everything is wrapped in a 'using' statement where necessary.  The equivalent code to do this would be many times more (using DsCrackNames or LDAP searches) and would yield far less information being returned (just the DN in most cases).

Over the next few weeks and months, I intend to dig more deeply into this namespace and put some samples up here for everyone.  This is just a taste for now, but it should show you how powerful this namespace really is.

 *Updated to fix CSS renderings in Google Reader

Monday, 11 July 2005

DsCrackNames in .NET

As I alluded to some time ago in my previous post, entitled “Enumerating Token Groups (tokenGroups) in .NET” there is another method to converting the collection of SIDs obtained from the ‘tokenGroups’ attribute.

An API is available to us that can conveniently convert all the SIDs in one call to a number of different formats for us.  There is a bit of pre-work involved to define the signature, setup some structures and whatnot, but it is very slick once you have it working.

I decided that a sample would be in order to demonstrate this one.  So here it is.

The usual caveats apply – this is not production code and I am an embarrassingly bad WinUI designer so give me a break.  The point of this exercise is to show you how to use this particular API in a somewhat practical sample.

Enjoy.  Feedback is welcomed.