10

I have a C# 4.0 program working that retrieves all the members for a specific AD group. In this AD group are other AD groups containing other members. I need my program to identity that it is a group and retrieve the members in that group.

I know I need to write a recursive program but I was hoping somebody out there might have already done it. If not, could somebody tell me the AD property attribute to identify that the member is actual a group?

Josh Crozier
  • 233,099
  • 56
  • 391
  • 304
Richard Butterwood
  • 735
  • 1
  • 12
  • 29
  • This link can be useful: http://en.csharp-online.net/User_Management_with_Active_Directory%E2%80%94Retrieving_tokenGroups_from_ADAM – Rubens Farias Jul 16 '11 at 01:09

2 Answers2

18

Since you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

Basically, you can define a domain context and easily find users and/or groups in AD. Also: the GroupPrincipal has a method called GetMembers which will list all members of that group - optionally, it will do so recursively for you!

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

// find the group you're interested in
GroupPrincipal myGroup = GroupPrincipal.FindByIdentity(ctx, "SomeGroup");

// if you found it - get its members
if (myGroup != null)
{
   // if your call the GetMembers, you can optionally specify a "Recursive" flag - done here
   var allMembers = myGroup.GetMembers(true);
}

The new S.DS.AM makes it really easy to play around with users and groups in AD!

user3566037
  • 60
  • 5
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
  • Thank you for the tip on S.DS.AM. It just saved me the pain of writing a recursive program!!!! – Richard Butterwood Jul 16 '11 at 15:17
  • `GetMembers(true)` has a limitation, e.g. `Domain Users` are not returned at all. In order to get them you have to call `GetMembers(false)` recursively. – Wernfried Domscheit Dec 11 '15 at 10:26
  • @WernfriedDomscheit what are the other limitation? – DevÁsith Oct 13 '16 at 06:41
  • I don't know the exact difference between `GetMembers(true)` and `GetMembers(false)`. But I noticed "Domain Users" are not returned which drive me to use `false` rather than `true`. – Wernfried Domscheit Oct 13 '16 at 07:07
  • @WernfriedDomscheit: that's probably the so-called "primary group" that is in fact never returned by any of those "GetMembers" calls ... – marc_s Oct 13 '16 at 08:14
  • @marc_s When using the optional recursive flag is there a way to know what nested group the user inherited membership to the parent group through please? – RichardD Jul 08 '20 at 13:32
-1

Assuming you're using the LDAP view into ActiveDirectory, the attribute you're looking for is called "objectClass". A group shows up with an objectClass of "groupOfNames", I believe; possibly "group". Alternatively, just look to see if the object has any "member"s, regardless of object class, and if it does, assume it's some sort of group and recurse.

Mark Reed
  • 91,912
  • 16
  • 138
  • 175