tags:

views:

61

answers:

3
+3  Q: 

Active Directory User Group Membership

I am trying to get a users group membership and limiting the results to those that match a string, ie I am only interested in the users group membership where the group begins with "test-".

The following is what I have been playing around with, even though the user is apart of several groups that match the search string, the If statement is not returning True on any of them.

Private Function GetGroups(ByVal userName As String) As Collection
    Dim Groups As New Collection
    Dim intCount As Integer
    Dim entry As DirectoryEntry = ADEntry()
    Dim mySearcher As DirectorySearcher = New DirectorySearcher(entry)
    Dim arrList As New ArrayList()

    ' Limit the search results to only users
    mySearcher.Filter = "(&(ObjectClass=User)(CN=" & userName & "))"
    ' Set the sort order
    mySearcher.PropertiesToLoad.Add("MemberOf")

    Dim searchResults As SearchResultCollection = mySearcher.FindAll()
    MessageBox.Show(searchResults.Count)
    If searchResults.Count > 0 Then
        Dim group As New DirectoryEntry(searchResults(0).Path)
        For Each member As Object In group.Properties("MemberOf")
            MessageBox.Show("Pre: "+ member) 'This message box returns all the groups the user is apart of.
            If group.Properties("memberOf").Contains("test-") = True Then
                MessageBox.Show(member) ' This message box never shows
            End If
        Next
    End If
    Return Groups
End Function

Is there any way of applying a search or If statement agains an Object where the constraint is a wildcard?

The groups I am looking for could be one of about 60 (this amount does increase and decrease as staff leave).

I am using VB.NET 2.0.

Thanks,

Matt

+1  A: 

LDAP search filters allow you to use * as a wildcard, so you should be able to limit the search to the users you want by changing your filter to:

(&(ObjectClass=User)(CN=" & userName & ")(memberOf=test-*))

This should be quite a bit more efficient than looping through and restricting the results in code.

It may be helpful to take a look at Microsoft's documentation on LDAP filters.

ig0774  2010-08-16 12:08:28
Lima  2010-08-16 12:37:58
A: 

Make sure the group you are trying to query for is a "Global Group". I had a lot of trouble getting group membership code to work. The only way it ever worked for me was if the group was a "Global Group".

Zippit  2010-08-20 12:53:16
Groups are Universal groups, however have changed one group to Global to test and this didnt result in the group being retuned. searchresults.count in my original code is still returning 0.
Lima  2010-08-21 11:59:33
+1  A: 

it seems to me that you should search for the groups where the user is the member. For example if the CN of the user which you examine is CN=Test,CN=Users,DC=mydomain,DC=local, then the corresponding LDAP query should be

(&(cn=test-*)(objectCategory=group)(member=CN=Test,CN=Users,DC=mydomain,DC=local))

As the properties which should be loaded you should choose attributes of group LDAP object.

Oleg  2010-08-20 16:12:22
Unfourtunately this didnt work, nor any similar variation that I attempted.
Lima  2010-08-21 10:55:35
Could you post the code which use the query and **not work**. In my environment it do work. Probably you have a problem not with the LDAP query, but with the code where you use it.
Oleg  2010-08-21 11:09:51
By the way you can use ldp.exe utility (installed on windows server) to test LDAP Queries. Just start the utility, choose connect and then bind in the menu. Then use searching. See http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm, http://support.microsoft.com/kb/224543 and http://support.microsoft.com/kb/252335 for more information. Don't forgen to choose subtree level of searching.
Oleg  2010-08-21 11:13:20
@oleg, in the original code I posted above, I replaced the mysearcher.filter line with the line that you have provided and the searchresults.count returns 0. The user I am testing this with is apart of two groups that I am interested in.All other lines in my original code are the same.
Lima  2010-08-21 11:55:46
Do you used the **full DN** user name (like `CN=Test,CN=Users,DC=mydomain,DC=local`)? If not you should get `DN` attribute of the user and constuct the query for the group using the this `DN` value.
Oleg  2010-08-21 12:02:12
Yep this worked, I supplied the filter the DN and it is returning results. Thanks heaps for your patience and time.
Lima  2010-08-21 12:38:28
You welcome! I find your question interesting because it shows, that one can't use wildcards with multi-value attributes like `MemberOf`.
Oleg  2010-08-21 13:04:24

related questions

What are the most important functional differences between C# and VB.NET?
Setting Group Type for new Active Directory Entry in VB.NET
ASP.Net Datagrid: in Footer calculate Avg or Sum for column
Opening a file in my application from File Explorer
HTML Email Editor in a Windows Forms Application
Datatables, Dataviews and distincts! (ASP.Net/VB)
Naming convention for VB.NET private fields
Visual Studio - new "default" property values for inherited controls
Change the width of a scrollbar
Is String.Format as efficient as StringBuilder
Default Form Button in FireFox
VB.NET - IsNothing versus Is Nothing
'Break' equivalent keyword for VB
What is the best way to wrap time around the work day?
Best SVN Client Ignore Pattern for VB.NET Solutions?
Long-time LAMP Developer moving to VB.NET
What's the best way to find long-running code in a Windows Forms Application
What is the best way to deploy a VB.NET application?
'Best' Diff Algorithm
Setting Objects to Null/Nothing after use in .NET
CSV File Imports in .Net
How do you migrate a large app from VB6 to VB .net ?
Floating Point Number parsing: Is there a Catch All algorithm?
Decoding T-SQL CAST in C#/VB.net
Reliable Timer in a Console Application