LDAP Query with sub result

Question

I have been banging my head for quite a while with this and can't get it to work. I have a LDAP Query I do have working in AD Users and Computers but dont know how to do it programatically in C#.

Here are my LDAP Query that works fine in the AD Tool: (memberOf=CN=AccRght,OU=Groups,OU=P,OU=Server,DC=mydomain,DC=com)(objectCategory=user)(objectClass=user)(l=City)

I have used this code to get the user accounts to get members of CN=AccRght but I'm not succeeding on limiting users belonging to a specific city.

public StringCollection GetGroupMembers(string strDomain, string strGroup)
{
    StringCollection groupMemebers = new StringCollection();
    try
    {
        DirectoryEntry ent = new DirectoryEntry("LDAP://DC=" + strDomain + ",DC=com");
        DirectorySearcher srch = new DirectorySearcher("(CN=" + strGroup + ")");
        SearchResultCollection coll = srch.FindAll();
        foreach (SearchResult rs in coll)
        {
            ResultPropertyCollection resultPropColl = rs.Properties;
            foreach( Object memberColl in resultPropColl["member"])
            {
                DirectoryEntry gpMemberEntry = new DirectoryEntry("LDAP://" + memberColl);
                System.DirectoryServices.PropertyCollection userProps = gpMemberEntry.Properties;
                object obVal = userProps["sAMAccountName"].Value;
                if (null != obVal)
                {
                    groupMemebers.Add(obVal.ToString());
                }
            }
        }
    }
    catch (Exception ex)
    {
        Console.Write(ex.Message);
    }
    return groupMemebers;
}

Thanks for any help!

Answer 1

If you are actually looking for a way to recursively enumerate group members, maybe you need to use the recursive version of memberof (which you can achieve by using the (memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x))) syntax).

More info here: http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx

Answer 2

Well, basically all you need is to transfer that LDAP filter you're using in the tool into your DirectorySearcher - something like this:

public StringCollection GetGroupMembers(string strDomain, string strGroup)
{
    StringCollection groupMemebers = new StringCollection();

    try
    {
        DirectoryEntry ent = new DirectoryEntry("LDAP://DC=" + strDomain + ",DC=com");

        DirectorySearcher srch = new DirectorySearcher();

        // build the LDAP filter from your (CN=strGroup) part that you had
        // in the constructor, plus that filter you used in the AD tool
        // to "AND" those together, use the LDAP filter syntax:
        //  (&(condition1)(condition2))  
        srch.Filter = string.Format("(&(CN={0})(memberOf=CN=AccRght,OU=Groups,OU=P,OU=Server,DC=mydomain,DC=com)(objectCategory=user)(objectClass=user)(l=City))", strGroup);

        SearchResultCollection coll = srch.FindAll();

        foreach (SearchResult rs in coll)
        {
            ResultPropertyCollection resultPropColl = rs.Properties;

            foreach( Object memberColl in resultPropColl["member"])
            {
                DirectoryEntry gpMemberEntry = new DirectoryEntry("LDAP://" + memberColl);
                System.DirectoryServices.PropertyCollection userProps = gpMemberEntry.Properties;
                object obVal = userProps["sAMAccountName"].Value;
                if (null != obVal)
                {
                    groupMemebers.Add(obVal.ToString());
                }
            }
        }
    }
    catch (Exception ex)
    {
        Console.Write(ex.Message);
    }
    return groupMemebers;
}

That should apply that filter to your search, e.g. you should now only get back users for that specific city.

Definitely check out this MSDN article Managing Directory Security Principals in the .NET Framework 3.5 - excellent intro to S.DS.AM ! :-)