Reputation: 5800
I was using following code to get all the users from a specific Active Directory group in a specific domain. This code is working fine.
using (var context = new PrincipalContext(ContextType.Domain, "dept.mycomp.net"))
{
using (var group = GroupPrincipal.FindByIdentity(context, "IT Team"))
{
if (group != null)
{
var users = group.GetMembers(true);
foreach (UserPrincipal user in users)
{
Console.WriteLine("Name: " + user.DisplayName);
Console.WriteLine("Network Id: " + user.SamAccountName);
}
}
}
}
I saw there is Entire Directory
option in Active Directory Lookup window. So I searched a bit and found following code; this code will get me all the users from Entire Directory
root level. This code is also working fine in my case:
var currentForest = Forest.GetCurrentForest();
var gc = currentForest.FindGlobalCatalog();
using (var userSearcher = gc.GetDirectorySearcher())
{
userSearcher.Filter = "(&((&(objectCategory=Person)(objectClass=User)))(samaccountname=" + username + "))";
SearchResult result = userSearcher.FindOne();
}
Question: how would I modify the later code to fetch all the users for a specific group at root level? I would be passing just the GroupName
Instead of Domain & Group Name
.
Upvotes: 1
Views: 1070
Reputation: 40998
The Entire Directory
option searches the Global Catalog, rather than just the domain, as it looks like you've found out. The only difference in the search is which port it connects to. Port 389 is the LDAP port, which searches only the domain of the server you're connecting to. Port 3268 is the Global Catalog. A short form for this is using GC://
instead of LDAP://
.
If you're working only in a single environment where you know the domain, you can just hard code it. It'll save the network requests of GetCurrentForest()
and FindGlobalCatalog()
.
This is what I mean:
var searcher = new DirectorySearcher(new DirectoryEntry("GC://dept.mycomp.net"));
On to your other question of searching for a specific group: Keep in mind that the Global Catalog searches your AD forest, which can be more than one domain. The names of any object are only enforced unique within the domain, not the forest. So if you search the GC for the name of a group, you can potentially get duplicates. (there could be an "IT Team" group on all of your domains)
But anyway, if we assume you only have one group by that name in your whole forest, this is how you would search for it and get the members:
var groupname = "IT Team";
var members = new List<string>();
using (var searcher = new DirectorySearcher(new DirectoryEntry("GC://dept.mycomp.net"))) {
searcher.Filter = "(&(objectCategory=group)(objectClass=group)(cn=" + groupname + "))";
searher.PropertiesToLoad.Add("member"); //only get the member attribute
using (SearchResult result = searcher.FindOne()) {
foreach (var member in result.Properties["member"]) {
members.Add(member);
}
}
}
When that completes, members
will be a list of the distinguishedName
of each member. If you want a different attribute (like displayName
) then you will need to create a DirectoryEntry
for each member and get that attribute.
There are a couple caveats that may or may not be relevant:
DirectoryEntry
. If your group isn't that big, then it's not an issue.Upvotes: 1