Link to home
Start Free TrialLog in
Avatar of maqskywalker
maqskywalker

asked on

C# LDAP query to get group members from a Microsoft Active Directory group

Hi Experts,


I'm using C# in a ASP.NET Core 5.0 MVC Web Application.

I'm using the System.DirectoryServices 5.0 nuget package in my core application.


I'm using the technique described in this article.

Using Active Directory in .NET
https://www.codemag.com/Article/1312041/Using-Active-Directory-in-.NET

I used this method from the above article to create my own filter that queries my organization's Microsoft Active Directory 

My method is in my HomeController.cs .

private void GetAllUsers()
{    
SearchResultCollection results;    
DirectorySearcher ds = null;    
DirectoryEntry de = new    DirectoryEntry(GetCurrentDomainPath());        
ds = new DirectorySearcher(de);    
ds.Filter = "(&(objectCategory=User)(objectClass=person))";        
results = ds.FindAll();        
foreach (SearchResult sr in results)    {        
    // Using the index zero (0) is required!        
   Debug.WriteLine(sr.Properties["name"][0].ToString());    
  }
 }

Open in new window


My Active Directory Group Setup


I have an Active Directory group called AcmeEmployees 

I have assigned some suboordinate groups to the AcmeEmployees group.

These are the suboordinate groups that I have assigned to the AcmeEmployees group:

 

AcmeAccountants

AcmeEngineers

AcmeLawyers

 

The AcmeAccountants group contains 8 users

The AcmeEngineers group contains 10 users

The AcmeLawyers group contains 6 users


Example 1


I’m trying to create a filter that will give me all the users of all the suboordinate groups that belong to the AcmeEmployees group.

  

I created this filter using this rule LDAP_MATCHING_RULE_IN_CHAIN 

 

// get all the members of subgroups that are members of Group AcmeEmployees - returns 24 users

ds.Filter = "(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=AcmeEmployees,OU=Universal,OU=Groups,OU=ACME,DC=com))";

 

This filter gives me 24 users. That is exactly what I want. 

It gets me all the users from all the groups belonging to AcmeEmployees group.

 

The problem with this filter is that it takes like 13 seconds to finish running.


Reference Article:

Search Filter Syntax - LDAP_MATCHING_RULE_IN_CHAIN
https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN



Example 2

 

Another filter I created was this one using logical OR and AND statements and hardcoding the groups. 

 

// get all users belonging to AcmeAccounts and AcmeEngineers and AcmeLawyers groups - returns 24 users

ds.Filter = "(&(&(objectCategory=user))(|(memberOf=CN=AcmeAccountants,OU=Universal,OU=Groups,OU=ACME,DC=com)" +

    "(memberOf=CN=AcmeEngineers,OU=Universal,OU=Groups,OU=ACME,DC=com)" +

    "(memberOf=CN=AcmeLawyers,OU=Universal,OU=Groups,OU=ACME,DC=com)))";

 

 

This filter gives me 24 users. But I don’t want to hard code the groups in my filter.

I only want to reference the main group in my filter in case I add more suboordinate groups to it.


My Question:

 

 

Is there another way to the filter I created in Example 1 above?

So it doesn’t take like 13 seconds to run.

 

Or 

 

Is there another way to write that same filter without using LDAP_MATCHING_RULE_IN_CHAIN?



ASKER CERTIFIED SOLUTION
Avatar of maqskywalker
maqskywalker

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial