Get all users from Active Directory group

Question

I was using following code to get all the users from a specific Active Directory group in a specific domain. This code is working fine.

using (var context = new PrincipalContext(ContextType.Domain, "dept.mycomp.net"))
{
    using (var group = GroupPrincipal.FindByIdentity(context, "IT Team"))
    {
        if (group != null)
        {
            var users = group.GetMembers(true);

            foreach (UserPrincipal user in users)
            {
                Console.WriteLine("Name: " + user.DisplayName);
                Console.WriteLine("Network Id: " + user.SamAccountName);
            }
        }
    }
}

I saw there is Entire Directory option in Active Directory Lookup window. So I searched a bit and found following code; this code will get me all the users from Entire Directory root level. This code is also working fine in my case:

var currentForest = Forest.GetCurrentForest();
var gc = currentForest.FindGlobalCatalog();

using (var userSearcher = gc.GetDirectorySearcher())
{
    userSearcher.Filter = "(&((&(objectCategory=Person)(objectClass=User)))(samaccountname=" + username + "))";
    SearchResult result = userSearcher.FindOne();
}

Question: how would I modify the later code to fetch all the users for a specific group at root level? I would be passing just the GroupName Instead of Domain & Group Name.

Answer 1

The Entire Directory option searches the Global Catalog, rather than just the domain, as it looks like you've found out. The only difference in the search is which port it connects to. Port 389 is the LDAP port, which searches only the domain of the server you're connecting to. Port 3268 is the Global Catalog. A short form for this is using GC:// instead of LDAP://.

If you're working only in a single environment where you know the domain, you can just hard code it. It'll save the network requests of GetCurrentForest() and FindGlobalCatalog().

This is what I mean:

var searcher = new DirectorySearcher(new DirectoryEntry("GC://dept.mycomp.net"));

On to your other question of searching for a specific group: Keep in mind that the Global Catalog searches your AD forest, which can be more than one domain. The names of any object are only enforced unique within the domain, not the forest. So if you search the GC for the name of a group, you can potentially get duplicates. (there could be an "IT Team" group on all of your domains)

But anyway, if we assume you only have one group by that name in your whole forest, this is how you would search for it and get the members:

var groupname = "IT Team";
var members = new List<string>();
using (var searcher = new DirectorySearcher(new DirectoryEntry("GC://dept.mycomp.net"))) {
    searcher.Filter = "(&(objectCategory=group)(objectClass=group)(cn=" + groupname + "))";
    searher.PropertiesToLoad.Add("member"); //only get the member attribute

    using (SearchResult result = searcher.FindOne()) {
        foreach (var member in result.Properties["member"]) {
            members.Add(member);
        }
    }
}

When that completes, members will be a list of the distinguishedName of each member. If you want a different attribute (like displayName) then you will need to create a DirectoryEntry for each member and get that attribute.

There are a couple caveats that may or may not be relevant:

1. There could be groups inside that group. This does not look for members of those groups.
2. If your domain has a trust with another domain outside your forest, then members from that external domain show up differently. I talked about that in a post I made on my site called What makes a member a member?
3. This may or may not limit how many members you see to a max of 1000 (if the group has more than 1000 members). I can't remember off hand if that happens with this method. I know it does when reading the 'member' attribute from a DirectoryEntry. If your group isn't that big, then it's not an issue.