2

I have a situation where I need to find AD groups of a user recursively.

For Example : 

I have such group hierarchy -
Group1
  |_
    Group2
      |_
        Group3
         |_
           UserA

According to the hierarchy, Groups of UserA are Group1, Group2, Group3

For finding it through the code I have used following method :

Dim UserP1 As UserPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, Remote_ID)
allrecursiveUserGroups = UserP1.GetAuthorizationGroups()

This method would give me all the groups recursively, but it is failing for one user and giving the exception as follows:

'System.DirectoryServices.AccountManagement.PrincipalOperationException' occurred in System.DirectoryServices.AccountManagement.dll

Additional information: While trying to retrieve the authorization groups, an error (1358) occurred.

Here is the complete StackTrace :

System.DirectoryServices.AccountManagement.PrincipalOperationException was unhandled ErrorCode=0 HResult=-2146233087 Message=While trying to retrieve the authorization groups, an error (1358) occurred. Source=System.DirectoryServices.AccountManagement

StackTrace: at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)

at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p) at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()

Another method which I used is :

Dim UserP1 As UserPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, Remote_ID)
Dim grps = UserP1.GetGroups

This is not throwing any exception and running perfectly for all Users but it only returns immediate groups i.e. Group3 in my case

The problem that I am facing with GetAuthorisationGroups is presence of special characters in Distinguished Name that I got by UserPrincipal.

The problem here is when [Distinguished Name][2] of UserPrincipal contains special characters (a comma in my case) then it throws exception. In my case the distinguished name is :

CN=Smith\, John,DC=mydomain,DC=com

Here backward slash has been used as escape character which is added by UserPrincipal itself.

If [Distinguished Name][2] doesn't contain any special character the function [GetAuthorizationGroups()][1] works fine. e.g.

CN=Smith John,DC=mydomain,DC=com

What is the reason of the problem and is there any solution available for this?

What am I missing in my First Approach of using GetAuthorizationGroups() method?

What is the reason for error code 1358?

Is there any other good way of finding groups recursively other than GetAuthorisationGroups() of class UserPrincipal

raunakchoraria
  • 358
  • 2
  • 15
  • Is this of help; https://stackoverflow.com/questions/6252819/find-recursive-group-membership-active-directory-using-c-sharp – Dennis May 15 '18 at 13:05
  • ERROR_INTERNAL_DB_CORRUPTION 1358 (0x54E) Unable to complete the requested operation because of either a catastrophic media failure or a data structure corruption on the disk. See msdn : https://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx – jdweng May 15 '18 at 13:22
  • @jdweng what does datastructure corruption on disk can mean? – raunakchoraria May 15 '18 at 13:27
  • You may have a link on the disk from a child folder to parent so you are in an endless loop. You may not have the proper credentials to read the folder/file. Or may be the the sector of the disk is actually bad – jdweng May 15 '18 at 14:02
  • But when I am using GetGroups() method then it is working fine but not in case of GetAuthorizationGroups(). How this is possible in case of dsk failure – raunakchoraria May 15 '18 at 14:24
  • I get an exception enumerating the groups returned by `GetAuthorizationGroups` whether or not the account name has a comma in it or not. But I get a different error. – Gabriel Luci May 16 '18 at 13:29
  • Do you really need to list them all? Or are you really interested in only one group? There are other ways to figure out if a user is a member of a single group. – Gabriel Luci May 16 '18 at 13:29
  • @GabrielLuci Yes, I need to list all the groups in hierarchy. Single Level groups won't work for me. – raunakchoraria May 17 '18 at 11:50

0 Answers0