9

I want to get the list of groups which the user is in.

This is my code:

PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "mydomain.ac.uk",   "DC=mydomain,DC=AC,DC=UK", "user", "password");

UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "MyUser");

PrincipalSearchResult<Principal> results = user.GetGroups();

foreach(Principal p in results)
{
   Response.Write(p.Name);
}

When I run, I got the following error at the line Response.Write(p.Name);

System.Runtime.InteropServices.COMException: The specified directory service attribute or value does not exist.

When I checked the count of the results, it returned 9 and the first group is DomainUsers.

How can I iterate all 9 groups in the list? Thanks.

The following is the list of users I get:

enter image description here

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
TTCG
  • 8,805
  • 31
  • 93
  • 141
  • how you initialize PrincipalContext? – Damith Apr 20 '12 at 10:34
  • PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "mydomain.ac.uk", "DC=mydomain,DC=AC,DC=UK", "user", "password"); – TTCG Apr 20 '12 at 10:34
  • The name attribute may not have been populated (perhaps because it was from a different domain than the one you queried??). Try asking for the DisplayName or DistinguishedName or SamAccountName or SID. – Ben Apr 20 '12 at 10:47
  • I have tried these name but the error is still the same. When I checked in the debug view, the following is the error I get: Name ( '((System.DirectoryServices.AccountManagement.Principal)((new System.Linq.SystemCore_EnumerableDebugView(results)).Items[1])).Name' threw an exception of type 'System.Runtime.InteropServices.COMException' ) – TTCG Apr 20 '12 at 10:57
  • 1
    I guess it's because your "user" account doesn't have enough permission to read the group objects. Do you see `DistinguishName` attribute and `Guid` attribute? – Harvey Kwok Jul 15 '12 at 03:40
  • i have the same error - i get the collection of groups, but can't get their properties. did you solve this problem? – donRumatta Aug 07 '12 at 13:46
  • @donRumatta var theDirectoryEntry = groupPrincipal.GetUnderlyingObject(); then theDirectoryEntry.Properties["propertyName"].Value as ???. Of course you'll have to iterate through the collection of group principals. – Sinaesthetic Sep 04 '12 at 21:59

2 Answers2

6

When omitting the LDAP container property as described in PrincipalContext Class, the user running the code must have read permissions to both the default User Container (i.e. CN=Users,DC=yourDomain,DC=COM) and the Computers Container (i.e. CN=Computers,DC=yourDomain,DC=COM).

If the user does not have the required permissions you will get the following error messages:

The specified directory service attribute or value does not exist

  • ‘context.Container’ threw an exception of type ‘System.NullReferenceException’ string {System.NullReferenceException}

  • ((new System.Linq.SystemCore_EnumerableDebugView(groups)).Items[5]).Description’ threw an exception of type ‘System.Runtime.InteropServices.COMException’ string {System.Runtime.InteropServices.COMException}

Michael Haren
  • 105,752
  • 40
  • 168
  • 205
Markus
  • 61
  • 1
  • 2
  • If someone deletes the computers container in the domain in question, you will get this error as well. For heaven's sake... Someone deleted the thing. – Robert Kaucher Jan 30 '18 at 21:19
  • Anyone attempting to use `this.RequestContext.Principal.IsInRole("ad group name")` and it always returns false with no exception thrown, this is a possible cause. Restoring the CN and permissions fixed this for me. – Robert Kaucher Feb 08 '18 at 18:41
  • The link to the blog seems to be broken. – CodeFox Dec 10 '18 at 15:11
1

try something like 

foreach(Principal p in results)
{ 
   if (p is GroupPrincipal) 
      Response.Write(p.DisplayName); 
}

I know it sounds dumb, but it has worked for me in the past. Your results look like it only actually found 1 security group and 8 "other" types of groups. Those "other" groups may not possess those attributes.

Sinaesthetic
  • 11,426
  • 28
  • 107
  • 176
  • For me, the name was better (DisplayName was empty: `user.GetGroups().OfType().Select(p => p.Name));` – a-h Jun 05 '17 at 18:01