1

i am querying the AD for all members of a group.

As a result i get users AND groups. My question: How can i find out, what the single result is (person or group)?

This is my code, i get a Resultpropertycollection and when i loop through the collection, i want to know for each item if it is a person or group.

ds.PropertiesToLoad.Add("member")

For Each sr As SearchResult In ds.FindAll
  Dim valueCollection As ResultPropertyValueCollection = sr.Properties("member")
  Dim propertyValue As Object

  For Each propertyValue In valueCollection
    Console.WriteLine("{0}", propertyValue.ToString())
  Next propertyValue
Next

regards Yavuz

Update:

This is th full code:

Private Sub EnumPropertyAndMembersOfGroup(ByVal name As String, ByVal propertyname As String)
    Try
        Dim de As DirectoryEntry = New DirectoryEntry("LDAP://lab.com")
        Dim ds As DirectorySearcher = New DirectorySearcher

        ds.Filter = "(&(objectCategory=group)(cn=" & name & "))"
        ds.PropertiesToLoad.Add("sAMAccountName")
        ds.PropertiesToLoad.Add("memberOf")
        ds.PropertiesToLoad.Add("member")

        For Each sr As SearchResult In ds.FindAll
            Console.WriteLine("Search properties for {0}", sr.Path)
            Console.WriteLine()

            Dim valueCollection As ResultPropertyValueCollection = sr.Properties(propertyname)
            Dim propertyValue As Object

            For Each propertyValue In valueCollection
                Console.WriteLine("{0}", propertyValue.ToString())
            Next propertyValue
        Next
        Console.ReadKey()
    Catch ex As Exception
        Console.WriteLine("ERROR: " & ex.Message)
        Console.ReadKey()
    End Try
End Sub
STORM
  • 4,005
  • 11
  • 49
  • 98

2 Answers2

0

You should be able to distinguish between person or group by querying objectClass attribute, or probably a DN of entry found.

As show e.g. here

http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

users have "user" among its objectClass attribute values.

How to write LDAP query to test if user is member of a group?

Community
  • 1
  • 1
Piotr Wadas
  • 1,838
  • 1
  • 10
  • 13
  • You mean query two times, first for users (person) and second for groups? – STORM Sep 16 '12 at 06:26
  • Not necessarily, depend how you create your search filter - you can request objects of both types (&(objectClass=user)(objectClass=group)) and then determine whether each objects of return set is object or group, or you can just request one particular type only. I'm not sure whether one object can be user and group, probably not, at least not in Windows - anyway to distinguish what you retrieved is by "objectClass" attribute ( determining what kind of class(es) object belongs to ). You can even do (&(objectClass=user)(!(objectClass=group))) – Piotr Wadas Sep 16 '12 at 09:38
  • I am looking in the MEMBER property. I am first searching for a goup = ds.Filter = "(&(objectCategory=group)(cn=mygroup))", then i read the members of this group, and members can be users as well groups. In the code in my question, i am iterating through the resultset of the property member, and want to determine if the returned object is a user or group. – STORM Sep 16 '12 at 10:39
  • Beside filter you usually define somewhere a list of names of attributes you want to retrieve ( by default all readable attrs, so * (asterisk ), except some system attributes. So make sure you retrieve "objectClass" attribute too, and iterate for each objects returned over its multivalue "objectClass" attribute, to find out whether "user" AND/OR "group" value is among them. You can filter results to contain only groups, or only users, or both - and in last case you will need to check with each object what kind of object this is. – Piotr Wadas Sep 16 '12 at 10:44
  • i am retrieving both groups and users. can you give me an example on how to check each object what kind it is!? – STORM Sep 16 '12 at 11:03
  • http://www.sitepoint.com/forums/showthread.php?708559-Active-Directory-Distribution-List ? :) – Piotr Wadas Sep 16 '12 at 11:29
  • No! Thats Not what i am Looking for!! I already get all members of a Group. But a Group can have Users AND other groups as member. Therefore i want to determine if an returned member is of Type User or Group. – STORM Sep 16 '12 at 12:51
  • Think, man. This will be a check, whether particular object is an user, or is not. Above are examples of attribute checking. So what you need is a bool function which will, on set of strings ( objectClass's attribute values), determine whether one of them is "user" or none of them. If none, then it's a group - and if it contains "user" it's undoubtedly a user object - then return true or false. As groups can possibly be member of another group ( nesting group is possible with LDAP ), you won't be able to check it based on "member" attribute values only. – Piotr Wadas Sep 16 '12 at 12:56
  • OK! Here it is: http://stackoverflow.com/questions/1845170/how-to-determine-the-type-ad-user-vs-ad-group-of-an-account – STORM Sep 16 '12 at 12:58
0

Ok, here is the solution:

imust do a new query with the DN of the returned object and check for object class:

How to determine the type (AD User vs. AD Group) of an account?

Community
  • 1
  • 1
STORM
  • 4,005
  • 11
  • 49
  • 98