?
Solved

C# AccountManagement Advanced Query

Posted on 2011-04-24
4
Medium Priority
?
748 Views
Last Modified: 2012-05-11
Hello Experts...

I'm writing a program that will need to perform advanced searches on Active Directory. I am using the .NET AccountManagement classes for everything else, and want to keep everything consistent if possible. I realize DirectorySearcher can fulfill my needs, but is there any way to do it in the AccountManagement framework?

Here's the requirements of my search:

1) First set of search criteria (logically OR'd together)
     a) Must be able to search to search on any number of group memberships.
     b) Must be able to search on a custom AD attribute. Let's call that field "major"
2) Second set of search criteria (logically OR'd together)
     a) Must be able to search to search on any number of group memberships.
     b) Must be able to search on the same custom AD attribute.

The final result should be a logical AND of those 2 criteria. An example would be:
Find all users that are a member of "Residents" or "Freshmen" or have a major of 200 (which would "Computer Science"), that are also members of "Dorm1" or "Dorm2".

An LDAP query can do this as follows:
Step 1:
(|(memberOf=Residents_DN)(memberOf=Freshmen_DN)(major=200))
Step 2:
(|(memberOf=Dorm1_DN)(memberOf=Dorm2_DN))
Result (concatination of steps 1 and 2 with an AND between them):
(&(|(memberOf=Residents_DN)(memberOf=Freshmen_DN)(major=200))(|(memberOf=Dorm1_DN)(memberOf=Dorm2_DN)))
Step 3: Limit scope to users
(&(|(memberOf=Residents_DN)(memberOf=Freshmen_DN)(major=200))(|(memberOf=Dorm1_DN)(memberOf=Dorm2_DN))(objectClass=user))

Is there any way to do this?

NOTE: I realize an extrinsic search is possible, but that's far too slow (about 15 minutes or so) and resource intensive given the number of users and groups in the domain. An intrinsic solution should only take a couple seconds or so to process, which is necessary since the code will be running on a web page.

*****EDIT: Ignore the remark below - I tried doing this and it was moderately slow (I'm assuming from doing the lookup of each user). It's fast enough for most circumstances since it only does a lookup on the search result matches, but too slow if the search matches most AD users.

If not possible, what's the best method for doing the LDAP search via DirectorySearcher then converting the results to UserPrincipal objects? Would this approach be too slow (and I should just forget about using UserPrincipals for this task)?
0
Comment
Question by:geowrian
  • 3
4 Comments
 
LVL 27

Accepted Solution

by:
Chinmay Patel earned 2000 total points
ID: 35477964
Hi geowrian,

I remember some years back we had similar requirements and it was darn slow... what we did using DirectorySearcher we will fetch data once and cache[We had a limited number of fields though]. We used a custom cache for some reasons but how about you use DirectorySearcher.CacheResults?

Regards,
Chinmay.
0
 
LVL 12

Author Comment

by:geowrian
ID: 35478410
Thanks for the input. I can do the search via DirectorySearcher pretty quickly by specifying the properties I want to gather and loading them into objects in memory for later use. I got that down to about a 2 second delay, which is great. I wanted to keep everything in the AccountManagement framework, but I'm not seeing any way to do that. Trying to convert the data into UserPrincipal and GroupPrincipal objects is also too slow since it does a lookup each time. Any ideas?
0
 
LVL 12

Assisted Solution

by:geowrian
geowrian earned 0 total points
ID: 35714098
It looks like using DirectorySearcher with CacheResults or a custom cache will be the only option. Thanks for the assistance, Chinmay.
0
 
LVL 12

Author Closing Comment

by:geowrian
ID: 35744783
Thanks all. I was unable to find any solutions for using the AccountManagement framework as desired. The DirectorySearcher option will be necessary.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Hello there! As a developer I have modified and refactored the unit tests which was written by fellow developers in the past. On the course, I have gone through various misconceptions and technical challenges when it comes to implementation. I would…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question