Confused ADSI Programmer .. Need Help...

Confused ADSI Programmer .. Need Help...

Post by hangar1 » Sat, 08 Jul 2006 06:33:41

I have read a lot .. worked a bit .. and now I am confused.

Environment: C# and .NET 2.0

I need :
List of Users in a given domain
List of Groups in the domain
List of groups the users belongs to in that domain
User information ( this I am kind of sure)
List of Local groups in the domain
List of members for that Local Groups ( users and global groups)

I have seen quite some code but I just need to be guided in the right
direction. So if I get anything specific, that would be great.

If the AD is on a Win 2003 Server, can we query AD using both WinNT and

Thanks in advance and hoping to get the clouds cleared :)

Confused ADSI Programmer .. Need Help...

Post by Marc Scheu » Sat, 08 Jul 2006 16:21:38

>Environment: C# and .NET 2.0

Bind to the domain, and create a directory searcher for users:

DirectoryEntry domain = new

DirectorySearcher dsUsers = new DirectorySearcher(domain);

// set up the filter to grab the users from the domain, and only users
dsUsers.Filter = "(&(objectClass=user)(objectCategory=Person))";

// add more properties if you need to

// do the search and do something with the results
foreach(DirectoryEntry user in dsUsers.FindAll())
// access the properties you've defined
Console.WriteLine("Name: " + user.Properties["name"][0].ToString()
+ " / E-Mail: " + user.Properties["mail"][0].ToString());

Basically the same - just use a different filter:

dsxxx.Filter = "(objectClass=group)";

Look at the "memberOf" property of the user object - it contains a
list of all groups he's a member of. (almost all groups - it will
*not* contain the primary group, and it won't contain any nested
groups - you'll need to do some more work to get those).

What user information? You basically need a DirectoryEntry for the
user, and then you can access all the properties available through the
.Properties property.

That'll need the WinNT provider.

Look at the "members" property for the group.

Yes - but the WinNT provider is VERY LIMITED and should really ONLY be
used if you have to query LOCAL accounts on a machine. The WinNT
provider does not understand the concept of OU's and hierarchies - so
it will present a flat list of accounts. Also it supports only a very
limited number of attributes on objects. Don't use it unless you
absolutely have to.



Confused ADSI Programmer .. Need Help...

Post by MVP - AD » Sat, 08 Jul 2006 23:22:52

Just to add to what Marc said, if you want to find domain local groups in
the domain, you would want to use the LDAP provider and add a bitwise filter
on the groupType attribute. If you want to examine local groups on a
machine, then you must use the WinNT provider. I took your original
statement to mean the former, whereas I think Marc understood you to mean
the latter.

With a bitwise filter on groupType, you can filter on DLG, global and
universal group types and filter on security vs. non-security as well.

Additionally, we wrote a whole book that basically explains how to do all
the stuff you are trying to do and more. You may find it very helpful if
you are planning to do much .NET DS programming.

Joe K.

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"