Get user groups in AD with nested groups

Question

I don't know if "nested" is the word for what I need, but here's the explanation:

I have a user, "John". "John" is member of the group "A". Group "B" has group "A" as a member.

So, transitively, "John" should also be member of the group "B".

When I retrieve the John's group, I only get "A", and not "B", doing it like this:

DirectorySearcher searcher = new DirectorySearcher();
DirectoryEntry rootEntry = new DirectoryEntry(_ldap, _loginName, _password, AuthenticationTypes.ReadonlyServer);

searcher.SearchRoot = rootEntry;
searcher.SearchScope = SearchScope.Subtree;
searcher.Filter = "(&(sAMAccountName=" + filter.Split('\\')[1] + ")(objectClass=user))";
searcher.PropertiesToLoad.Add("memberOf");
searcher.PropertiesToLoad.Add("displayname");

SearchResult sr = searcher.FindOne();

How can I achieve this?

Thank you!

[Enumeration of Nested User Groups in AD](http://stackoverflow.com/questions/7149157/enumeration-of-nested-ad-user-groups-using-c-sharp) check this previous posting out `Nicole` — MethodMan, Dec 04 '14 at 19:04
It's not the same thing because I am starting with the user, I get its direct groups and I need to know if any of those groups is at the same time, a member of another group.. — Nicole, Dec 04 '14 at 19:23
is that a case typo/fat fingering in your Filter=`"(&(sAmAccountName` not sure if it matters but I think it should be `samAccountName` also can you also add `&& (objectClass=groups))` — MethodMan, Dec 04 '14 at 20:39
hey check out doing this with PrincipalContext I am not sure if what I have done previously will help or not http://stackoverflow.com/questions/14762653/searching-active-directory-users-only-in-specified-group-in-c-sharp/14762881#14762881 — MethodMan, Dec 04 '14 at 21:09

score 3 · Accepted Answer · answered Dec 05 '14 at 14:59

I ended up using the "tokenGroups" property of the user, which seems to return all the groups the user is in, even the ones in which he is member transitively.

here's my code:

DirectorySearcher searcher = new DirectorySearcher();
DirectoryEntry rootEntry = new DirectoryEntry(_ldap, _loginName, _password, AuthenticationTypes.ReadonlyServer);

searcher.SearchRoot = rootEntry;
searcher.SearchScope = SearchScope.Subtree;
searcher.Filter = "(&(sAMAccountName=" + filter.Split('\\')[1] + ")(objectClass=user))";
searcher.PropertiesToLoad.Add("memberOf");
searcher.PropertiesToLoad.Add("displayname");

SearchResult sr = searcher.FindOne();
DirectoryEntry userDirectoryEntry = result.GetDirectoryEntry();
userDirectoryEntry.RefreshCache(new string[] { "tokenGroups" });

foreach (byte[] byteEntry in userDirectoryEntry.Properties["tokenGroups"])
{
   if (CompareByteArrays(byteEntry, objectSid))
   {
         isMember = true;
         break;
   }
}

It's a mix of this and this link, where objectSid is the objectSID of the group which I find by name.

Thanks a lot for your help!

Is it possible you share the rest of the code? What is objectSid? what is the forloop for? Thanks — PKCS12, Sep 14 '21 at 11:44

Get user groups in AD with nested groups

1 Answers1