Domain Users group is not getting for an active directory user

Question

We are using the following code to get the groups of an active directory user.

StringCollection groups = new StringCollection();

try
{
   using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domainName, userName, password))
   {
      //find user roles
      UserPrincipal user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, loginUserName);

      if (user != null)
      {
         DirectoryEntry de = (DirectoryEntry)user.GetUnderlyingObject();
         object obGroups = de.Invoke("Groups");                        

         foreach (object ob in (IEnumerable)obGroups)
         {
            DirectoryEntry obGpEntry = new DirectoryEntry(ob);                            
            groups.Add(obGpEntry.Name);
         }    
      }
   }
}
catch (Exception e)
{
}

This is working almost as expected. But while we checking the users with Domain Users group, the method didn't return the group name. Some users are only with this Domain Users group and while we calling this method for such users its returning an empty group.

Any suggestions please..

marc_s · Accepted Answer · 2012-04-02T05:32:37.003

2

It's a well-known and documented "omission" that the so called primary group is not returned from the Groups method in this code. There are some rather cryptic ways around this - or try this other approach:

if you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");

if(user != null)
{
   // the call to .GetAuthorizationGroups() will return **all** groups that
   // user is a member of - including the primary group and all nested 
   // group memberships, too!
   var result = user.GetAuthorizationGroups();
}

The new S.DS.AM makes it really easy to play around with users and groups in AD!

Update: if you insist on using the old legacy technology, check out this blog post by Ryan Dunn which explains in great detail how to get the primary group for an AD account in C#.

edited Apr 02 '12 at 05:32

answered Apr 02 '12 at 05:01

marc_s

732,580
175
1,330
1,459

yes, i have used this earlier, but then i got an error like "Information about the domain could not be retrieved (1355).". I can't figure out the cause, so i moved to use the old technique. – Mahesh KP Apr 02 '12 at 05:08
the given link is now showing 404 error http://dunnry.com/blog/2005/01/18/DeterminingYourPrimaryGroupInActiveDirectoryUsingNET.aspx%24 – Mahesh KP Apr 02 '12 at 05:30
@mahesh: sorry, had an extra character in there after pasting - fixed, works now. – marc_s Apr 02 '12 at 05:32
Thanks for the link.. but i didn't understand the things explained there. I am planning to use user.GetAuthorizationGroups(). But i didn't understand why i am getting that exception.. Can you please advice any solution for this. – Mahesh KP Apr 02 '12 at 11:36
thanks for this link.. i got answer from this link http://stackoverflow.com/questions/1179858/can-you-find-an-active-directory-users-primary-group-in-c – Mahesh KP Apr 03 '12 at 05:15

Domain Users group is not getting for an active directory user

1 Answers1