stackoom
  简体   繁体   中英

DirectorySearcher does not return all AD group members

 原文  2014-07-24 21:12:15       c#/ active-directory/ ldap

Question

I try to get all members of an Active Directory group in C#. My code looks like: 

var searcher = new DirectorySearcher(defaultNamingContextEntry) {
    Filter = "(memberOf=" + group.Properties["distinguishedName"].Value + ")",
    PageSize = 1000,
    SearchScope = SearchScope.Subtree,
    Sort = new SortOption("sAMAccountName", SortDirection.Ascending)
};
var members = searcher.FindAll();

The code works so far, but has the problem that it does not return all group members.

I believe (I am not sure) that it returns what I can actually see for the "member" attribute in ADSI Edit (the group in question is a bit large to compare everything, but far below 1000), but these are not all members. There are users that are, according to AD Users & Computers, in the group which are not listed. If I look in the "Member Of" page, I can see the group, and ACL settings via the group affect the missing users, too. However, they are not in the result set.

The group in question is the primary group, in case this is relevant.

What is wrong here? What would be the correct parameters or query? Is this a problem of the AD itself?

Update: I have further investigated the problem (and tested Brian's solution, which I strongly recommend if your property collections are really large; I thought that there must be some kind of paging mechanism for properties, but could not find how it works):

I now know that the DirectorySearcher returns the correct result as seen in ADSI edit .

I also know that the "Primary Group" (set by the "Set Primary Group" button on the "Member Of" page in AD Users & Computers) is missing. Unix extensions are enabled in the AD, so we usually use this option. Changing the primary group changes which members are missing. The effect is deterministic.

I have looked into the entries using ADSI edit, but could not find the field that would allow me to add the primary group in my search. Although I have enabled everything (Mandatory, Optional, Constructed, Backlink and System-only attributes), I cannot see the primary group.

My revised question is: what is the correct LDAP filter for retrieving the primary group, too?

1 answers

solution1
 1 ACCPTED  2014-07-24 21:27:12

You need to do value ranging. See http://www.netid.washington.edu/documentation/enumeratingLargeGroups.aspx for an example.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Include primary group in AD search with DirectorySearcher show all AD group members who are not in a table LDAP Query in c# using DirectorySearcher does not return anything Search AD SchemaClassName using DirectorySearcher C# Azure AD Graph get all members of a group where are more than 20 Get Count of members in a AD Group using PrincipalSearcher Getting members of an AD domain group using Sharepoint API get group members from azure ad via microsoft graph Executing POST request for Microsoft Graph API to add members to an AD group GroupPrincipal.Members.Remove() doesn't work with a large AD group
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM