Active Directory: Retrieve User information

Question

I've got a web application that is running against Windows Authentication using our Active Directory. I've got a new requirement to pull some personal information through from the Active Directory entry. What would be the easiest way to get access to this information?

Answer 1

A very good reference: Howto: (Almost) Everything In Active Directory via C#

Answer 2

You might find the following snippet useful as a starter.

public static bool IsUserInGroup(string lanid, string group)
{
    DirectoryEntry entry = new DirectoryEntry("LDAP://" + LDAPPATH);
    if(entry != null)
    {
        entry.Username=@"LDAPUSER";
        entry.Password="LDAPPASSWORD";
        DirectorySearcher srch = new DirectorySearcher(entry);
        srch.Filter = String.Format("(&(objectClass=person)(sAMAccountName={0}))", lanid);
        srch.PropertiesToLoad.Add("memberOf");

        SearchResult result = srch.FindOne();
        if(result != null)
        {
            if(result.Properties.Contains("memberOf"))
            {
                string lookfor = String.Format("cn={0},", group.ToLower());
                foreach(string memberOf in result.Properties["memberOf"])
                {
                    if(memberOf.ToLower().StartsWith(lookfor))
                        return true;
                }
            }
        }
        return false;
    }
    throw new Exception(String.Format("Could not get Directory lanid:{0}, group{1}",   lanid, group));
}

Answer 3

Accessing the user directly through a DirectoryEntry seems like the most straightforward approach. Here are some AD-related tidbits I learned from my first AD-related project:

• In a URI, write LDAP in lowercase. Otherwise you'll get a mystery error. I spent more than a day on this depressing issue...
• To clear a single-valued property, set it to an empty string, not null. Null causes an exception.
• To clear a multi-valued property, use the DirectoryEntry.Property.Clear() method.
• The Active Directory schema reference will say which data type a value will be and whether it is multi-value or single-value.
• You do not need to manually RefreshCache() on a Directoryentry but if you ever use it and specify which properties to cache, know that it will not auto-retrieve any other properties in the future.
• A COMException can be thrown at absolutely any time you use the classes in System.DirectoryServices. Keep an eye on those try blocks. Do not assume anything is safe.

You'll probably need to use DirectorySearcher to get your user's directory entry if you don't know its path (which you wouldn't, just by having him logged in). Using it was fairly easy but beware of the quirks in LDAP syntax; namely, having to encode non-ASCII (and other?) characters. The search string you'd use would probably be something like: (&(sAMAccountName=whatever)(class=user)). This is off the top of my head and may be slightly incorrect.

The Active Directory schema reference will be useful. Do understand that the schema can be modified and extended (e.g. installing Exchange will add mailbox information to users).

AD Explorer is a useful tool which you can use for debugging and low-level AD data management. I've found it useful when I know which property I want to set but cannot find the right dialog box in the AD management tool.

Answer 4

Have a look at the System.DirectoryServices namespace:

System.DirectoryServices Namespace

Answer 5

I've used a standard LDAP library to retrieve information from an Active Directory server, but you'd have to verify that the data you need is available via the LDAP server's schema. In general, you can get any information stored in InetOrganizationalPerson and most of the information related to the group(s) they belong to.