Link to home
Create AccountLog in
Avatar of idealsw
idealsw

asked on

Returning foreignSecurityPrincipal from a group in AD?

I have two domains which are trusted and some domain 2 groups have foreign security principal members from domain 1.

I thought that using DirectorySearcher with a filter like:

DirectorySearcher ds = new DirectorySearcher(dentry)
{
Filter = String.Format("(&(memberOf={0})(objectCategory=Foreign-Security-Principal))", activeDirectoryGroup.DistinguishedName)
};

Open in new window


would return the user accounts or the SIDs, but it doesn't return anything.

Am I approaching this in the correct way?

Many thanks

Ian
Avatar of Netman66
Netman66
Flag of Canada image

If you have conditional forwarding setup properly on both trusted domains, then the SIDs should resolve correctly.

Avatar of idealsw
idealsw

ASKER

Hi,

It's not the resolution of the SID that's the problem.

When I query the group using a filter such as:

Filter = String.Format("(&(memberOf={0})(objectCategory={1}))", activeDirectoryGroup.DistinguishedName, objectClass)

where objectClass is "person", it doesn't return any of the Foreign-Security-Principal users in the group.

Thanks

Ian
Best I can figure is that objectClass is not indexed where objectCategory is.

I'm wondering if there is another tool that may work better.

Would this work for you?  http://www.imanami.com/groupid/reports/default.aspx

Ok, after thinking about this I think the reason is that you are specifically asking for a return of DistinguishedName.   The objClass of your query is located in a different place as the Foreign-Security-Principal container and as such it's not where it's expected to be based on your query.  Since I can't see the rest of your code, I can't comment on this.

I suspect you'll need two separate actions with error handling so that you'd run your first code as is and then a specifically crafted query looking for these foreign principals with the right DN path while also ensuring you handle the possibility there are none in this group.

This may be of value, under the "Finding ourselves" perhaps.

http://msdn.microsoft.com/en-us/magazine/cc135979.aspx





Avatar of idealsw

ASKER

I've tried a completely different approach using:

            PrincipalContext adPrincipalContext = new PrincipalContext(ContextType.Domain, "DOMAIN");
            //adPrincipalContext

            GroupPrincipal group = GroupPrincipal.FindByIdentity(adPrincipalContext, "DOMAIN Server Admins");

            PrincipalSearchResult<Principal> members = group.GetMembers();

            Console.WriteLine("No of members {0}", group.Members.Count);

            foreach (Principal member in members)
            {
                Console.WriteLine("{0}\r\n\t{1}\r\n\t{2}",member.ToString(),member.Guid,member.DistinguishedName);

            }

which works perfectly.

Thanks for your input.
ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account