Include primary group in AD search with DirectorySearcher
Question
I need to get a list of all users and contacts in a specific Active Directory group in my C# application. Which group is used is variable and changed with a configuration file.
Since System.DirectoryServices.AccountManagement cannot handle contacts, I use DirectoryServices API with LDAP queries.
I use the following filter for my DirectorySearcher:
"(&(memberof:1.2.840.113556.1.4.1941:=" + groupDN +")(objectClass=person))"
groupDN is the Distinguished Name of the source group.
This works fine for normal groups, but it should be possible to have the configured group as any group, even "Domain Users". Since our Domain Users group doesn't actually have members, but is used as a primary group, the above filter returns 0 results when the group is "Domain Users".
I know that you can search for primary group membership with the filter:
(primaryGroupId=513)
but that doesn't account for other groups similar to Domain Users ("primary groups" if you will).
Is there another way to include primary group members in the search results?
1 answers
solution1
1 2017-10-19 20:24:20
The primaryGroupId attribute contains last part of group SID (objectSid attribute). The following MS article describes technique used to get primary group of a security principal: https://support.microsoft.com/en-us/help/297951/how-to-use-the-primarygroupid-attribute-to-find-the-primary-group-for
Be aware that chain filter, which is used to retrieve membership returns you users from nested groups, but has performance issues on domain containing 10K+ users
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.