J
Jerry C
Is there a article or example on using DirectoryService to get all the groups
in Active Directory.
in Active Directory.
J
Joe Kaplan \(MVP - ADSI\)
In the whole forest or just a domain? It is easy either way. Just do a
subtree search on either the GC (for the whole forest) or a domain's
defaultNamingContext with a filter of (objectCategory=group). Make sure you
enable paging (PageSize=1000) so that all results will be returned if there
are more than 1000.
There is tons of example code from our book available for free on our book's
website, although it isn't easy to find specific things without the book as
everything is listed by listing number.
Joe K.
subtree search on either the GC (for the whole forest) or a domain's
defaultNamingContext with a filter of (objectCategory=group). Make sure you
enable paging (PageSize=1000) so that all results will be returned if there
are more than 1000.
There is tons of example code from our book available for free on our book's
website, although it isn't easy to find specific things without the book as
everything is listed by listing number.
Joe K.
J
Jerry C
Joe,
Joe,
Thanks for your reply. I was hopping for some Examples. Maybe an article on
MSDN.
Thank you
Joe,
Thanks for your reply. I was hopping for some Examples. Maybe an article on
MSDN.
Thank you
J
Joe Kaplan \(MVP - ADSI\)
Listing 4.13 from our book (on the website below in the file downloads; pick
your language) shows how to do a basic paged search across a whole AD
domain. It searches for users, but you could take that sample, plug in the
filter I gave you that finds groups (objectCategory=group) and plug in your
domain's default naming context name and that would get you started.
All of the hard stuff is really with the details of how you connect
(security stuff, etc.) and such, but the basics are just that easy. If
there weren't lots of details to it, we wouldn't have written a whole book
about it.
You didn't say anything about how you would run this code or
what you planned to do with the search results, so I don't really know how
to provide any more specific guidance.
I hope that helps some.
Joe K.
your language) shows how to do a basic paged search across a whole AD
domain. It searches for users, but you could take that sample, plug in the
filter I gave you that finds groups (objectCategory=group) and plug in your
domain's default naming context name and that would get you started.
All of the hard stuff is really with the details of how you connect
(security stuff, etc.) and such, but the basics are just that easy. If
there weren't lots of details to it, we wouldn't have written a whole book
about it.
You didn't say anything about how you would run this code orwhat you planned to do with the search results, so I don't really know how
to provide any more specific guidance.
I hope that helps some.
Joe K.
L
Luke Zhang [MSFT]
Hello Jerry,
Here is an sample from MSDN:
Searching for Groups
http://msdn2.microsoft.com/en-us/library/ms180909(d=ide).aspx
If there is any thing unclear, please feel free to let us know.
Sincerely,
Luke Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Here is an sample from MSDN:
Searching for Groups
http://msdn2.microsoft.com/en-us/library/ms180909(d=ide).aspx
If there is any thing unclear, please feel free to let us know.
Sincerely,
Luke Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
J
Jerry C
Thanks for the examples I now have a list of the names of the groups (Code
below). I was wondering if there is some information about what the
Properties of the group. I looked in the "About Active Directory" section of
the MSDN library but there is no properties section for the group class in
the "Active Directory Schema" section. I am probably looking in the wrong
place.
I find a lot of groups in with this code and what I would like to do is know
if these groups are built in or created by the system administraor. I only
want the groups that are created by the adminstrator to manage users and not
the ones that are used by the system like printoperator and so on.
Dim strDomPath As String =
"LDAP://cd2k3domtest/DC=CDTESTDOM,DC=atestsys,DC=com"
Dim dirEnt As New DirectoryEntry(strDomPath)
Dim dsGroups As New DirectorySearcher(dirEnt,
"(objectCategory=group)")
Dim srGroupsCol As SearchResultCollection = dsGroups.FindAll()
Dim srGroups As SearchResult
For Each srGroups In srGroupsCol
Dim ss As String
ss = srGroups.Properties("name").Item(0).ToString
Next
Thank all of you for your help.
below). I was wondering if there is some information about what the
Properties of the group. I looked in the "About Active Directory" section of
the MSDN library but there is no properties section for the group class in
the "Active Directory Schema" section. I am probably looking in the wrong
place.
I find a lot of groups in with this code and what I would like to do is know
if these groups are built in or created by the system administraor. I only
want the groups that are created by the adminstrator to manage users and not
the ones that are used by the system like printoperator and so on.
Dim strDomPath As String =
"LDAP://cd2k3domtest/DC=CDTESTDOM,DC=atestsys,DC=com"
Dim dirEnt As New DirectoryEntry(strDomPath)
Dim dsGroups As New DirectorySearcher(dirEnt,
"(objectCategory=group)")
Dim srGroupsCol As SearchResultCollection = dsGroups.FindAll()
Dim srGroups As SearchResult
For Each srGroups In srGroupsCol
Dim ss As String
ss = srGroups.Properties("name").Item(0).ToString
Next
Thank all of you for your help.
M
Marc Scheuner
Thanks for the examples I now have a list of the names of the groups (Code
I'm not sure if you can this out easily - you can e.g. also have the
DirectorySearcher give you things like the "groupType" or other LDAP
properties - not sure if the "creator" of the group is being stored
anywhere, and whether or not you could have that returned (or filter
by that).
Marc
I'm not sure if you can this out easily - you can e.g. also have the
DirectorySearcher give you things like the "groupType" or other LDAP
properties - not sure if the "creator" of the group is being stored
anywhere, and whether or not you could have that returned (or filter
by that).
Marc
J
Joe Kaplan \(MVP - ADSI\)
The builtin groups will have the "1" bit set in the groupType enumerated
values and will also have the built-in domain sub-authority in the SID. For
example, built-in administrators has a group type of 0x80000005 and a fixed
SID of S-1-5-32-544 and domain admins, a "normal" global group with a
special RID, will have 0x80000002 and SID of S-1-5-21-xxx-xxx-xxx-512.
It would be possible to use a bitwise filter on the query to ignore the
built in groups (which would also slow it down), or it would be possible to
just filter out the results after the fact.
Does either of those options work for you, Jerry?
Joe K.
values and will also have the built-in domain sub-authority in the SID. For
example, built-in administrators has a group type of 0x80000005 and a fixed
SID of S-1-5-32-544 and domain admins, a "normal" global group with a
special RID, will have 0x80000002 and SID of S-1-5-21-xxx-xxx-xxx-512.
It would be possible to use a bitwise filter on the query to ignore the
built in groups (which would also slow it down), or it would be possible to
just filter out the results after the fact.
Does either of those options work for you, Jerry?
Joe K.
J
Jerry C
Thank you Mark and Joe for the replies. It did help. I still cannot find the
information about the properties of the group objectCategory. You have given
me information on the name and groupType property. I was wondering if there
is a link to some information about group category and the other categories
of AD.
information about the properties of the group objectCategory. You have given
me information on the name and groupType property. I was wondering if there
is a link to some information about group category and the other categories
of AD.
J
Joe Kaplan \(MVP - ADSI\)
Every object in AD has an objectCategory, just like it has an objectClass.
In some instances, objectCategory uniquely identifies an object (like in the
case of group objects) and objectCategory is indexed, so it makes a good
attribute to use in a query filter. In some other cases like with the
person objectCategory, both the user and contact class share the same
category, so they cannot be uniquely identified by the category alone.
The documentation for all the schema stuff is in the AD schema reference
online in MSDN.
Joe K.
In some instances, objectCategory uniquely identifies an object (like in the
case of group objects) and objectCategory is indexed, so it makes a good
attribute to use in a query filter. In some other cases like with the
person objectCategory, both the user and contact class share the same
category, so they cannot be uniquely identified by the category alone.
The documentation for all the schema stuff is in the AD schema reference
online in MSDN.
Joe K.
J
Jerry C
Joe,
Thank you for your reply. I checked under "Active directory Schema",
"Classes", "All Classes", "Groups". there are attributes listed under this
class but none of them are "name" or "groupType" that work with the
properties of the objectCategory of group. It seems to be a disconnect with
the information from that section of Ad Schema and the properties that are
required for the properties of the directory searcher object. It seems to me
that there should be some information that would tell me what entries to use
in the line
ss = srGroups.Properties("name").Item(0).ToString
The "name' works but none of the attributes in the AD schema work. What am I
doing wrong.
Thank you for your reply. I checked under "Active directory Schema",
"Classes", "All Classes", "Groups". there are attributes listed under this
class but none of them are "name" or "groupType" that work with the
properties of the objectCategory of group. It seems to be a disconnect with
the information from that section of Ad Schema and the properties that are
required for the properties of the directory searcher object. It seems to me
that there should be some information that would tell me what entries to use
in the line
ss = srGroups.Properties("name").Item(0).ToString
The "name' works but none of the attributes in the AD schema work. What am I
doing wrong.
J
Joe Kaplan \(MVP - ADSI\)
This page:
http://msdn.microsoft.com/library/d...n-us/adschema/adschema/c_group.asp?frame=true
Is the page you are talking about, right? In that case, groupType is
listed, but it is listed by its common name (Group-Type) instead of its
ldapDisplayName (which is what you use when programming), so it can be a
little confusing.
You should be able to add groupType to the PropertiesToLoad and then get the
value from the SearchResult:
searcher.PropertiesToLoad.Add("groupType")
.....
Dim groupType As Integer = DirectCast(result.Properties("groupType")(0),
Integer)
Note that groupType is actually an enumerated, bitwise value, so it is
helpful to have an enum type defined for it. We have a sample of that in
our book and you can grab the code samples for free from our book's website
(ch 11).
Joe K.
http://msdn.microsoft.com/library/d...n-us/adschema/adschema/c_group.asp?frame=true
Is the page you are talking about, right? In that case, groupType is
listed, but it is listed by its common name (Group-Type) instead of its
ldapDisplayName (which is what you use when programming), so it can be a
little confusing.
You should be able to add groupType to the PropertiesToLoad and then get the
value from the SearchResult:
searcher.PropertiesToLoad.Add("groupType")
.....
Dim groupType As Integer = DirectCast(result.Properties("groupType")(0),
Integer)
Note that groupType is actually an enumerated, bitwise value, so it is
helpful to have an enum type defined for it. We have a sample of that in
our book and you can grab the code samples for free from our book's website
(ch 11).
Joe K.
J
Jerry C
Joe.
Thank you for the reply. Your guidance is greatly appreciated.
This is the test code I am using. I found all the property names by using
the PropertyNames property of the group directory entry.
I did find the group enum in your sample code. Thank you.
Dim strDomPath As String = "LDAP://cd2k3domtest/DC=CDTESTDOM,DC=adsys,DC=com"
Dim dirEnt As New DirectoryEntry(strDomPath)
Dim dsGroups As New DirectorySearcher(dirEnt,
"(objectCategory=group)")
Dim srGroupsCol As SearchResultCollection = dsGroups.FindAll()
‘an array for the property names.
Dim objarray() As Object
ReDim objarray(20)
Dim srGroups As SearchResult
For Each srGroups In srGroupsCol
'will get all property names that are available
srGroups.Properties.PropertyNames.CopyTo(objarray, 0)
Dim ss As String
'all to same string for testing
‘gets the 14th porperty name just a test
ss = objarray(14).ToString 'use index from 0 to 20
ss = srGroups.Properties("name").Item(0).ToString
ss = srGroups.Properties("groupType").Item(0).ToString
Next
Thank you
Thank you for the reply. Your guidance is greatly appreciated.
This is the test code I am using. I found all the property names by using
the PropertyNames property of the group directory entry.
I did find the group enum in your sample code. Thank you.
Dim strDomPath As String = "LDAP://cd2k3domtest/DC=CDTESTDOM,DC=adsys,DC=com"
Dim dirEnt As New DirectoryEntry(strDomPath)
Dim dsGroups As New DirectorySearcher(dirEnt,
"(objectCategory=group)")
Dim srGroupsCol As SearchResultCollection = dsGroups.FindAll()
‘an array for the property names.
Dim objarray() As Object
ReDim objarray(20)
Dim srGroups As SearchResult
For Each srGroups In srGroupsCol
'will get all property names that are available
srGroups.Properties.PropertyNames.CopyTo(objarray, 0)
Dim ss As String
'all to same string for testing
‘gets the 14th porperty name just a test
ss = objarray(14).ToString 'use index from 0 to 20
ss = srGroups.Properties("name").Item(0).ToString
ss = srGroups.Properties("groupType").Item(0).ToString
Next
Thank you
J
Joe Kaplan \(MVP - ADSI\)
Yep, that basically works. I'm generally a fan of adding the attributes you
want to see to PropertiesToLoad, as that can reduce the amount of traffic
and make things a little faster. However, getting them all certainly works
fine too.
Feel free to post back if you have additional questions.
Joe K.
want to see to PropertiesToLoad, as that can reduce the amount of traffic
and make things a little faster. However, getting them all certainly works
fine too.
Feel free to post back if you have additional questions.
Joe K.