使用 DirectorySynchronization 时获取 Microsoft Active Directory 属性“memberOf”的正确方法

Question

I regularly read out the active directory for an application to store the current state in a database. To reduce the amount of data I use DirectorySynchronization to get only the changes since the last query. But now I also need the attribute "memberOf" which is not provided by the DirectorySearcher when using DirectorySynchronization.

At the moment I get the DirectoryEntry for each found entry, but then more attributes are delivered than I need, which contradicts the actual intention.

Is there a way to set which attributes are read with DirectoryEntry, similar to PropertiesToLoad with DirectorySearcher or is there better way to read the attribute "memberOf" when using DirectorySynchronization?

Code excerpt:

using System.DirectoryServices;

DirectoryEntry searchRoot = new DirectoryEntry(domain, username,password, AuthenticationTypes.Secure);
DirectorySearcher dirSearch = new DirectorySearcher(searchRoot);
dirSearch.PropertiesToLoad.Add("samaccountname");
dirSearch.PropertiesToLoad.Add("distinguishedname");
dirSearch.PropertiesToLoad.Add("mail");
//filter to user objects
dirSearch.Filter = "(objectCategory=person)";
dirSearch.Filter = "(objectClass=user)";

byte[] cookie = null;
DirectorySynchronization sync = new DirectorySynchronization(DirectorySynchronizationOptions.ObjectSecurity,cookie);
    
dirSearch.DirectorySynchronization = sync;
using (searchRoot)
{
    using (SearchResultCollection results = dirSearch.FindAll())
    {
        foreach (SearchResult result in results)
        {
            DirectoryEntry dirEntry = result.GetDirectoryEntry();
            List<string> memberOf = new List<string>();
            PropertyValueCollection prop = dirEntry.Properties["memberof"];
            
            foreach(var member in prop)
            {
                memberOf.Add((string)member);
            }
            
        }
    }
    cookie = sync.GetDirectorySynchronizationCookie();
}

Answer 1

But now I also need the attribute "memberOf" which is not provided by the DirectorySearcher when using DirectorySynchronization.

memberOf is a special attribute computed by the directory, so it's not provided by DirectorySynchronization (which uses in fact DirSync control ). The only thing that could provide DirectorySynchronization is the directory's real modification, which belongs to a user's DN added to a group object in the member attribute (which kind of triggers a memberOf recomputation)

At the moment I get the DirectoryEntry for each found entry, but then more attributes are delivered than I need, which contradicts the actual intention.

GetDirectoryEntry performs a new directory search and loads all the attributes (it has no link with the DirectorySearcher settings and previous search).

So, instead of the GetDirectoryEntry , you can use another DirectorySearcher (that will load just the memberOf ) that will do a single search on each loop (example without any strong tests, ie. null values etc.):

using (searchRoot)
{
    using (SearchResultCollection results = dirSearch.FindAll())
    {
        // A new DirectorySearcher
        DirectorySearcher anotherDirectorySearcher = new DirectorySearcher(searchRoot);
        anotherDirectorySearcher.PropertiesToLoad.Add("memberOf");
        foreach (SearchResult result in results)
        {
            // A new filter on each loop in order to look for an single entry
            anotherDirectorySearcher.Filter = $"(samaccountname={(string)result.Properties["samaccountname"][0]})";
            List<string> memberOf = new List<string>();            
            foreach(var member in anotherDirectorySearcher.FindOne().Properties["memberOf"])
            {
                memberOf.Add((string)member);
            }
            
        }
    }
    cookie = sync.GetDirectorySynchronizationCookie();
}

Note that:

dirSearch.Filter = "(objectCategory=person)";
// Here you override the previous one (the Filter property is a string)
dirSearch.Filter = "(objectClass=user)";
// If you want both, you can use:
dirSearch.Filter = "(&(objectCategory=person)(objectClass=user))";