querying AD users

SpaceMarine · Jul 5, 2008

hello,

i havent done any research on this yet and about to, but i wanted to
see if anyone had any recommended links on programmaticly working w/
AD users. (namely, looking up all users that begin w/ a certain
letter, or getting back a list of users matching a first name, etc..)

im building a UI that allows my admin-users to manage other users, its
going to be used for securing access to parts of our apps.

thanks, and ill post what i find.

sm

SpaceMarine · Jul 6, 2008

looks like the DirectoryServices class is where its at for this. the
DirectorySearcher class is used for, well, searching the directory.
there is a .Filter prop for passing in queries:

http://msdn.microsoft.com/en-us/library/system.directoryservices.directorysearcher.filter.aspx

....now i just gotta figure out the proper filter. its LDAP syntax. to
get all users w/ a last name of "A", i think its something like:

.Filter = "(objectClass=user)(lastName >= A)"

sm

SpaceMarine · Jul 6, 2008

.Filter = "(objectClass=user)(lastName >= A)"

actually asterik wildcards are supported, so its probably more like

lastName = A*

...will have to play around w/ it in the office.

sm

Guest · Jul 7, 2008

actually asterik wildcards are supported, so its probably more like

lastName = A*

...will have to play around w/ it in the office.

sm

Note, that if you run it from the ASP.NET application on a server, in
most cases you may need to implement impersonation in the application,
before you access the AD.

http://support.microsoft.com/kb/306158

Guest · Jul 7, 2008

actually asterik wildcards are supported, so its probably more like

lastName = A*

...will have to play around w/ it in the office.

sm

ping

SpaceMarine · Jul 8, 2008

Note, that if you run it from the ASP.NET application on a server, in
most cases you may need to implement impersonation in the application,
before you access the AD.

well, id like to avoid impersonation if possible. if my DirectoryEntry
class is instantiated w/ an optional username & password in its
constructor (a service account given to me by our AD admin), then
would i no longer need to impersonate?

sm

Paul Clement · Jul 8, 2008

¤
¤ > Note, that if you run it from the ASP.NET application on a server, in
¤ > most cases you may need to implement impersonation in the application,
¤ > before you access the AD.
¤
¤ well, id like to avoid impersonation if possible. if my DirectoryEntry
¤ class is instantiated w/ an optional username & password in its
¤ constructor (a service account given to me by our AD admin), then
¤ would i no longer need to impersonate?

As long as your ASP.NET app is running under an account that has sufficient permissions to query AD
then you should be fine. W/o impersonation, the default account would be ASPNET (2000, XP) or
NetworkService (2003 or higher). You can also configure your ASP.NET app to run under a custom least
privilege account.

With respect to syntax you would want to include the "and" operator in your query as well:

.Filter = "(&(objectClass=user)(lastName = A*))"

The following link should help you with LDAP query syntax:

http://msdn.microsoft.com/en-us/library/aa746475.aspx

Paul
~~~~
Microsoft MVP (Visual Basic)

Guest · Jul 9, 2008

¤
¤ > Note, that if you run it from the ASP.NET application on a server, in
¤ > most cases you may need to implement impersonation in the application,
¤ > before you access the AD.
¤
¤ well, id like to avoid impersonation if possible. if my DirectoryEntry
¤ class is instantiated w/ an optional username & password in its
¤ constructor (a service account given to me by our AD admin), then
¤ would i no longer need to impersonate?

As long as your ASP.NET app is running under an account that has sufficient permissions to query AD
then you should be fine. W/o impersonation, the default account would be ASPNET (2000, XP) or
NetworkService (2003 or higher). You can also configure your ASP.NET app to run under a custom least
privilege account.

With respect to syntax you would want to include the "and" operator in your query as well:

.Filter = "(&(objectClass=user)(lastName = A*))"

The following link should help you with LDAP query syntax:

http://msdn.microsoft.com/en-us/library/aa746475.aspx

sm, you can also move the code for AD to a separated class library
DLL, and refer to it from your main ASP.NET application. You would
need to register that DLL as a COM component (Administrative Tools -
Component Services) using an account that has sufficient permissions
to query AD. In this case you would not need to make an impersonation
within your application and all request to AD would go through the COM

suggestions: AD, integrated auth, custom Roles	4	Jul 4, 2008
SqlRoleProvider & windows authentication	2	Jul 5, 2008
Forms Based Authentication and AD and Roles and Security Trimming!	0	Nov 1, 2006
How to implement a combo Web and Desktop app in python.	3	Sep 14, 2012
[ANN] Samizdat 0.6.2: Security, Plugins, Flowplayer	3	Feb 12, 2009
Asp.net Important Topics.	0	Jan 18, 2007
[ANN] Samizdat 0.6.1: Security, MVC, RSS import	2	Mar 4, 2008
Yellowfin Business Intelligence Version 3.3 release	0	Dec 12, 2007

querying AD users

SpaceMarine

SpaceMarine

SpaceMarine

Guest

Guest

SpaceMarine

Paul Clement

Guest

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads