C# Active Directory：获取列表临时组成员身份？

Question

I use the temporary (time-based) group membership mechanism in Active Directory for temporary user access to groups.

By means of Powershell, it is very easy to add users:

$ts = New-TimeSpan -Start (Get-Date) -End (Get-date).AddSeconds(50000)
Add-ADGroupMember -Identity "mytest" -Members "kul" -MemberTimeToLive $ts

Then I can view the users and the remaining time and TTL:

(Get-ADGroup 'mytest' -Property member -ShowMemberTimeToLive).member
<TTL=49891>,CN=kul,OU=Company,DC=test,DC=local

How can I use C# / LDAP to add and view users with their counters?

1. Adding via C# has already been solved - c# active directory temporary groupmembership?
2. But how to implement viewing the remaining TTL time for users? In the response of paragraph 1, there was a link explaining about direct and reverse AD links. How to get this data correctly using DirectoryEntry or GroupPrincipal ?

Answer 1

I've discovered this is part of a control search control that is provided in your search. 1.2.840.113556.1.4.2309 - LDAP_SERVER_LINK_TTL_OID

This is a quick example of its use in S.DS.P

var groupDN = "Your Group DN";

var showttlcontrol = new System.DirectoryServices.Protocols.DirectoryControl("1.2.840.113556.1.4.2309", null, true, true);

var request = new SearchRequest();
request.Controls.Add(showttlcontrol);
request.DistinguishedName = groupDN;
request.Scope = SearchScope.Subtree;
request.Attributes.AddRange(new string[] { "member" });

var response = (SearchResponse)connection.SendRequest(request);
var enumerator = response.Entries.GetEnumerator();
if (enumerator.MoveNext() && enumerator.Current is SearchResultEntry entry) {
    var member = entry.Attributes["member"].GetValues(typeof(string)).Select(x => (string)x).FirstOrDefault();
    Console.WriteLine(member);
}