0

I can check if an account is a member in an AD group but is there a way to tell if an account belongs to an OU? I would like to search by OU instead of by AD group and I am not sure if that's possible. Below is how I search for an AD group.

string myADSPath="LDAP://onecity/CN=Users,DC=onecity,DC=corp,DC=fabrikam,DC=com";  


if (DirectoryEntry.Exists(myADSPath))  
{  
    Console.WriteLine("In the group");  
}  
    else  
{  
    Console.WriteLine("Couldn't get in the group");  
}
Jonah Bartz
  • 19
  • 6
  • Isn't this just a suffix search based on distinguished names? (Unless I'm misinterpreting what you mean be "belongs to an OU") – Damien_The_Unbeliever Sep 10 '18 at 14:01
  • @Damien_The_Unbeliever When searching for an AD group, I can directly search for a member with DirectoryEntry(member) but for an OU that contains groups and accounts im not sure if theres a way to do a similar search. – Jonah Bartz Sep 10 '18 at 14:04
  • Basically what i'm asking is if I have a user account, is there a way to tell what OU it belongs in. @Damien_The_Unbeliever – Jonah Bartz Sep 10 '18 at 14:13
  • You want to check if a user is in a specified OU? Or you want find a user and gets the users OU? – Tor Sep 10 '18 at 14:17
  • I can get the user, I just want to check if they are in a specific OU. @Tor – Jonah Bartz Sep 10 '18 at 14:19
  • Yes, so like I say, if they're in `CN=Users,DC=onecity,DC=corp,DC=fabrikam,DC=com`, their distinguished name should be something like `CN=John Smith,CN=Users,DC=onecity,DC=corp,DC=fabrikam,DC=com`, so it should just be a suffix match on that, surely? – Damien_The_Unbeliever Sep 10 '18 at 14:24

1 Answers1

0

With this method, you can check, if the specified user is in the foo/bar OU:

public bool CheckUserInOU(string userName)
{
    using (var entryPoint = new DirectoryEntry($@"LDAP://onecity/OU=bar,OU=foo,DC=onecity,DC=corp,DC=fabrikam,DC=com"))
    {
        // User and pass for the LDAP query user if needed.
        entryPoint.Username = "YourUsernameHere";
        entryPoint.Password = "YourPasswordHere";

        using (var searcher = new DirectorySearcher(entryPoint))
        {
            searcher.SearchScope = SearchScope.OneLevel;
            searcher.Filter = $"(&(samAccountName={userName})(objectCategory=user))";

            return searcher.FindOne() != null;
        }
    }
}

And as @Damien_The_Unbeliever says if you have the user, the distinguishedName attribute will contains the OU.

Tor
  • 633
  • 5
  • 14
  • Thanks for the help but I have another question. That LADP I presented was just an example provided by microsoft, im not sure what my LADP query would be when all I have is the OU. Is there any powerhsell commands or something that could return what the full path of the OU is? I am very new to this if you couldnt tell and any help I can get I greatly appreciate. – Jonah Bartz Sep 10 '18 at 14:47
  • You need the full path, you have to know the DC and the full OU path. For example, you can create a `Foo` OU, and within this a nested `Foo` OU with the same name. You can search the `Foo` OU, but you will have 2 hits. – Tor Sep 10 '18 at 14:54
  • But if you are new in LDAP/AD, you should read some at the topic. For example [this](https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search). – Tor Sep 10 '18 at 14:57
  • I think I have the DC but im not sure what I would put in place of the "onecity" in the example provided. If my OU path is "domainExample.net/Accounts/Users/Common Accounts" would my LADP be ($@"LADP://domainExample/OU=Accounts, OU=users, OU=Common Accounts, DC=domainExample, DC = net") – Jonah Bartz Sep 10 '18 at 15:07
  • onecity is server:port – Tor Sep 10 '18 at 15:23