I have the following code. It is supposed to check with the ldap server what roles does a user has and display all of them and delete any role that doesnt exist on the ldap server. Right now it doesnt display "domain users" group as it is the primary group. But i need it to display domain users role as well. I tried including the (primaryGroupID=513) in the filter but that doesnt work as 'directorySearcher.FindOne();' returns null after i add the primaryGroupID to the filter.
Asked
Active
Viewed 625 times
3 Answers
0
I am sure you have done your research as well. I dont believe there is an easy way to access the groups that are set up as primary, or part of the groups that are members of the same group as Domain Users. My account in my AD have 125 groups but only 70 shows up if i query via powershell or DirectoryEntry.
I know that the following code works and pulls all the groups regardless of what type of group it is.
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
UserPrincipal user = (UserPrincipal)Principal.FindByIdentity(ctx, userID);
PrincipalSearchResult<Principal> userGroups = user.GetAuthorizationGroups();
Jawad
- 11,028
- 3
- 24
- 37
0
You can access the default group if you get the PrimaryGroupID first.
We document the LDAP Filter that can be used.
And there is also Get-ADPrincipalGroupMembership
jwilleke
- 10,467
- 1
- 30
- 51
0
This worked flawlessly
`if (results!=null)
{
//find primary group (by default Domain Users)
var User = results.GetDirectoryEntry();
User.RefreshCache(new string[] { "tokenGroups" });
foreach (byte[] resultBytes in User.Properties["tokenGroups"])
{
var SID = new SecurityIdentifier(resultBytes, 0);
var sidSearcher = new DirectorySearcher();
sidSearcher.SearchRoot = directoryEntry;
sidSearcher.Filter = "(objectSid=" + SID.Value + ")";
sidSearcher.PropertiesToLoad.Add("name");
var sidResult = sidSearcher.FindOne();
if (sidResult != null)
{
MemberGroups.Add((string)sidResult.Properties["name"][0]);
}
}`
Srs
- 59
- 8