0

I am trying to enumerate all the users of the Enterprise Admins group.

I have tried the following:

PrincipalContext ctx = new PrincipalContext(ContextType.domain,"globalcatalog.domain.local", "DC=domain,DC=local");
GroupPrincipal grp = GroupPrincipa,FindByIdentity(ctx, IdentityType.Name, "Enterprise Admins");

IList<string> users = new List<string>();

foreach(Principal p in grp.Getmembers(true)){
users.Add(p.Name);
}

Unfortunately, i will consistently get an error that says A referral was returned from the server. Is there anything I am missing here? I would rather not go back to using the DirectoryEntry class, but looks like I might have to.

appsecguy
  • 1,019
  • 3
  • 19
  • 36
  • http://stackoverflow.com/questions/6954170/a-referral-was-returned-from-the-server-exception-when-accessing-ad-from-c-sha Look at Ander's Abel answer. – Wiktor Zychla Oct 06 '15 at 20:09
  • I am trying to *not* use the DirectoryEntry class. I would like to use PrincipalContext where possible, as I find the code more readable. – appsecguy Oct 06 '15 at 20:10
  • The answer is not about DirectoryEntry but rather about possible wrong referring to the domain controller. – Wiktor Zychla Oct 06 '15 at 22:23
  • The references I have are correct - using the server name in a powershell script, I am able to get the information I need. – appsecguy Oct 06 '15 at 23:18
  • You get the `referral` from establishing `ctx` connection or finding the group? And I'm assuming `GroupPrincipa,FindByIdentity` is a typo? It should be `GroupPrincipal.FindByIdentity`. Wrap those two statements in `try/catch` statement and look at the `error code`. Is the account that you're executing the code has enough rights to search AD? – smr5 Oct 07 '15 at 04:01
  • The error is 1355. The error occurs when GroupPrincipal is hit, not PrincipalContext. – appsecguy Oct 07 '15 at 04:32
  • What if you prefix the group name with the actual domain name? Just guessing but can't see anything obvious here. – Wiktor Zychla Oct 07 '15 at 12:18
  • Hm, you mean like DOMAIN\Enterprise Admins? Yeah, this is really strange. I can get Domain Admins just fine, but not Enterprise Admins. When I tried using port 3268 i get an error that it cannot get info from domain. – appsecguy Oct 07 '15 at 15:20

0 Answers0