We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

C# AccountManagement Advanced Query

geowrian
geowrian asked
on
Medium Priority
759 Views
Last Modified: 2012-05-11
Hello Experts...

I'm writing a program that will need to perform advanced searches on Active Directory. I am using the .NET AccountManagement classes for everything else, and want to keep everything consistent if possible. I realize DirectorySearcher can fulfill my needs, but is there any way to do it in the AccountManagement framework?

Here's the requirements of my search:

1) First set of search criteria (logically OR'd together)
     a) Must be able to search to search on any number of group memberships.
     b) Must be able to search on a custom AD attribute. Let's call that field "major"
2) Second set of search criteria (logically OR'd together)
     a) Must be able to search to search on any number of group memberships.
     b) Must be able to search on the same custom AD attribute.

The final result should be a logical AND of those 2 criteria. An example would be:
Find all users that are a member of "Residents" or "Freshmen" or have a major of 200 (which would "Computer Science"), that are also members of "Dorm1" or "Dorm2".

An LDAP query can do this as follows:
Step 1:
(|(memberOf=Residents_DN)(memberOf=Freshmen_DN)(major=200))
Step 2:
(|(memberOf=Dorm1_DN)(memberOf=Dorm2_DN))
Result (concatination of steps 1 and 2 with an AND between them):
(&(|(memberOf=Residents_DN)(memberOf=Freshmen_DN)(major=200))(|(memberOf=Dorm1_DN)(memberOf=Dorm2_DN)))
Step 3: Limit scope to users
(&(|(memberOf=Residents_DN)(memberOf=Freshmen_DN)(major=200))(|(memberOf=Dorm1_DN)(memberOf=Dorm2_DN))(objectClass=user))

Is there any way to do this?

NOTE: I realize an extrinsic search is possible, but that's far too slow (about 15 minutes or so) and resource intensive given the number of users and groups in the domain. An intrinsic solution should only take a couple seconds or so to process, which is necessary since the code will be running on a web page.

*****EDIT: Ignore the remark below - I tried doing this and it was moderately slow (I'm assuming from doing the lookup of each user). It's fast enough for most circumstances since it only does a lookup on the search result matches, but too slow if the search matches most AD users.

If not possible, what's the best method for doing the LDAP search via DirectorySearcher then converting the results to UserPrincipal objects? Would this approach be too slow (and I should just forget about using UserPrincipals for this task)?
Comment
Watch Question

Chief Technology Ninja
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thanks for the input. I can do the search via DirectorySearcher pretty quickly by specifying the properties I want to gather and loading them into objects in memory for later use. I got that down to about a 2 second delay, which is great. I wanted to keep everything in the AccountManagement framework, but I'm not seeing any way to do that. Trying to convert the data into UserPrincipal and GroupPrincipal objects is also too slow since it does a lookup each time. Any ideas?
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thanks all. I was unable to find any solutions for using the AccountManagement framework as desired. The DirectorySearcher option will be necessary.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.