0

I am developing a program in C# that searched all of the users in AD and adds them to a list. Unfortunately, I have run across a case in which a particular user is not being added to the group.

Relevant code I am using to create the list (in a try/catch block):

List<User> ADUsers = new List<User>();
string domainPath = "LDAP://DC=domain,DC=local";
search.Filter = "(&(objectClass=user))";
//I was including propertiesToLoad here, but I removed it in testing
SearchResultCollection results = search.FindAll();
if (results != null)
  {
    foreach (SearchResult result in results)
    {
      if (result.Properties.Contains("samaccountname") && result.Properties.Contains("mail") && result.Properties.Contains("displayname"))
      {
        User objSurveyUser = new User((String)result.Properties["samaccountname"][0], (String)result.Properties["mail"][0], (String)result.Properties["displayname"][0]);
        ADUsers.Add(objSurveyUser);
      }
    }
  }
return ADUsers;

I get 900+ entries (as expected), and I have so far been able to search for every user I have tried but one.

I checked in AD to verify that the user was classified as a user, so I know it should no be getting filtered out. I also verified (in hyena) that the Pre-2k accountname (samaccountname), email address (mail), and display name were all listed and correct for this user.

I have created else blocks to catch users that are missing one or more of the above and tried to find the user that way, but to no avail.

Does anyone see anything obvious that I might be missing in my code?

Update: I changed the search filter to (objectCategory=person) and some of the users I was unable to find appeared. Getting closer.

Update 2: I think there might be an issue with the way AD Searcher works. I changed (objectCategory=person) to (|(objectCategory=person)(objectClass=user)). By the rules of logic, my returned size should grow; instead, it shrinks. |A U B| >= |A|

Update 3: I have entirely removed the line for search.filter and tried a different filter: (!(userAccountControl=2)). Both options give me the complete list of users in the base OU, but they do not search inside other OUs.

jasotastic
  • 396
  • 1
  • 2
  • 16
  • 1
    Is there anything special about that account? Like, is it an admin account? Is is in the Users container rather than an OU? Are the account's permissions set in any way where your account can't see it (e.g. deny permissions)? Is it in an OU with any permissions set that would make you not see it? – Gabriel Luci Mar 09 '18 at 02:15
  • Not as far as I can tell. It is a standard user account. I can see other accounts in that same OU. I can see the account in ADUC and ADAC signed in as me, so I feel confident that the answer to your question about permission is "no." The more I test the more users I am finding that I do not see... – jasotastic Mar 09 '18 at 16:02

1 Answers1

0

I added this code to my program for troubleshooting purposes: tbText.text = $"Found {results.Count} AD entries." That returned Found 1000 AD entries. That line held the key to the problem. I had no idea that I was getting limited in my results. A quick search on SO led me to this post.

Once I had that information, I added the appropriate code ds.PageSize = 500;, and my problem was solved.

jasotastic
  • 396
  • 1
  • 2
  • 16