tags:

views:

272

answers:

1
Q: 

DirectoryServices.AccountManagement - group membership checking efficiency

We have a group in Active Directory with over 70k user accounts. I need to check whether someone is a member of that group. The code is going to run in a web app with a high volume of concurrent users. I'd prefer to stick to System.DirectoryServices.AccountManagement if possible to reduce the amount of code that's written for this app.

There appear to be 2 general approaches to checking whether someone is a member:

  1. Use UserPrincipal.IsMemberOf() to get a boolean value indicating membership
  2. Use UserPrincipal.GetGroups() to get a list of group memberships that I can manually check

I want to avoid the enumerating 70k users to check whether someone is in a group, so option 2 seems to be more efficient on face value. When I go into work I can do some tests against both methods but I wanted to get some info on what these methods are really doing under the covers. Am I on the right track here in my thinking?

One last point about the library I'm using. Can I get better performance if I drop out of System.DirectoryServices.AccountManagement altogether and write my own LDAP queries?

A: 

Well, one thing you might want to consider to make things more efficient is based on the fact that group membership really is managed by the group that has a list of users (and groups) that are its members. The "memberOf" on the user is really a calculated "back link" - see this excellent article for more information.

So if you need to check for membership in one or two groups, it might be a whole lot easier to just walk up to those groups and ask them for their members list, and cache those. When evaluating users, you'd only have to check whether or not their DN shows up in one of the group member lists, without hitting AD over and over again.

You'd be doing something like:

GroupPrincipal myGroup = Group.FindByIdentity(context, "myGroupName");

var members = myGroup.GetMembers();

With this, you should be able to get better performance thanks to caching of the group membership info. Try it!

marc_s  2009-12-15 06:24:17

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?