Re: Get SAMAccountNames for all users in an active directory group

I have a couple of questions for you.

First, what is the point of the impersonation code (that is not shown here)?
Your DirectoryEntry code is supplying fixed credentials, so the identity of
the current thread will not be used for the bind attempt. Since you are
using the ServerBind flag, that suggests that your path contains the name of
a specific domain controller, so you don't need the impersonation for
serverless binding either. It seems like an unnecessary step to me. Also,
were you aware that when you use the ServerBind flag but don't add back in
the Secure flag as well via |, you switch the security mechanism to use LDAP
simple bind instead? Since you aren't using the SSL flag, that means that
you are passing your credentials in plaintext on the network and that is
generally considered very bad. You should probably at the minimum add the
Secure flag back in.

It sounds like the error you are getting is related to a referral being
generated. In this particular group, is it a domain local or universal
group that has members from another domain in the forest in it? If so, that
could be the problem. Switching to Secure bind and setting ReferralChasing
to either Subordinate or All may fix that problem. As I recall, there are
some potentially weird issues with ASQ and referrals, but I think this is
something that can be fixed. I might have to dig back through some previous
posts on this detail though as I haven't thought about it for a long time.
:)

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<psychrodraconic@xxxxxxxxx> wrote in message
news:c0168ec2-4000-4485-8c6b-b7e72755a3be@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I began looking at your sample and adapting it to work for my page and
found myself running across an obscure error that I'm not certain that
I understand the meaning of.

A referral was returned from the server. 0000202B: RefErr:
DSID-031006E0, data 0, 1 access points ref 1: 'someDomain.com'

This error is thrown when the src = ds.FindAll() line is fired. Any
ideas as to what may be causing this or what I could do to resolve it?

Below is the modified procedure utilizing your sample.

Public Shared Function getGroupMembersSAMAccountName(ByVal
group As String) As ArrayList
Dim arrListSAMAccounts As New ArrayList

Dim searchRoot As DirectoryEntry = Nothing
Dim ds As DirectorySearcher = Nothing
Dim src As SearchResultCollection = Nothing
Dim adsPath As String = "LDAP://CN="; & group &
",OU=Groups,dc=" & LDAPdomain & ",dc=com"

'------ Start Impersonation ------
Dim ImpersonateContext As WindowsImpersonationContext =
Utilities.Impersonate(LDAPuser, LDAPpassword, LDAPdomain)

searchRoot = New DirectoryEntry( _
adsPath, _
LDAPdomain + "\" + LDAPuser, LDAPpassword, _
AuthenticationTypes.ServerBind _
)

Dim attribs() As String = New String()
{"distinguishedName", "sAMAccountName", "name", "mail"}

ds = New DirectorySearcher( _
searchRoot, _
"(&(objectClass=user)(objectCategory=person))", _
attribs _
)

'must be SearchScope.Base
ds.SearchScope = SearchScope.Base

'we choose any DN-type attribute
ds.AttributeScopeQuery = "member"

src = ds.FindAll()

For Each sr As SearchResult In src
For Each s As String In attribs
If sr.Properties.Contains(s) Then
arrListSAMAccounts.Add(s & ": " &
sr.Properties(s)(0))
End If
Next
Next

'------ End Impersonation ------
ImpersonateContext.Undo()

Return arrListSAMAccounts
End Function

On Jan 20, 10:59 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Yep, this is a good use for attribute scope query. There is a .NET code
sample from ch. 5 of our book which can be downloaded from our book's
website (see link below).

Most of the time, in situations where you could to an ASQ, you can simply
do
the search "backwards". For example, you can search forallobjects that
have memberOf = the DN of thegroupin question and return the
sAMAccountName and this will do the same basic thing as an ASQ would.

Joe K.

--
Joe Kaplan-MS MVPDirectoryServices Programming
Co-author of "The .NET Developer's Guide toDirectoryServices
Programming"http://www.directoryprogramming.net
--
"Dean Wells (MVP)" <dwe...@xxxxxxxxxxxxxxxxxxxxx> wrote in
messagenews:%23H2SWgsWIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx

Do some digging on an LDAP control/feature called 'attribute scoped
queries' ... this will do as you ask in a single (from the client-side
at
least) query.

--
Dean Wells [MVP /DirectoryServices]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R a m o v e t h e m a s k t o s e n d e m a i l

<psychrodraco...@xxxxxxxxx> wrote in message
news:c8a43f19-50d0-48ee-b655-58f14e1f5e98@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I am trying togeta list of NT Login Names (SAMAccountNames) for the
usersthat belong to anactivedirectorygroup. I have a function
that is used for receiving a list of the members of agroup. This
works perfectly for getting the members. However, not so much for
getting theSAMAccountNames. Could anyone give me any guidance on how
togetthe account names for agroupinactivedirectory?

Below is a sample method for getting the members for thatgroup.

Public Shared Function getGroupMembers(ByValgroupAs String)
As ArrayList

Dim Members As ArrayList = New ArrayList()
Dim _path As String =
ConfigurationManager.AppSettings("ADConnectionString")

'------ Start Impersonation ------
Dim ImpersonateContext As WindowsImpersonationContext =
Utilities.Impersonate(LDAPuser, LDAPpassword, LDAPdomain)

'------ Start running code -------
Dim entry As DirectoryEntry = New DirectoryEntry(_path,
LDAPdomain + "\" + LDAPuser, LDAPpassword,
AuthenticationTypes.ServerBind)

Dim search As DirectorySearcher = New
DirectorySearcher(entry)

search.Filter = "(cn=" &group& ")"
search.PropertiesToLoad.Add("member")
Dim result As SearchResult = search.FindOne()

If Not (result Is Nothing) Then

Dim propertyCount As Integer =
result.Properties("member").Count

Dim equalsIndex, commaIndex As Integer
Dim user As String

For counter As Integer = 0 To propertyCount - 1

user = result.Properties("member")
(counter).ToString

equalsIndex = user.IndexOf("=", 1)
commaIndex = user.IndexOf(",", 1)

If Not (equalsIndex = -1) Then

Members.Add(user.Substring((equalsIndex + 1),
(commaIndex - equalsIndex) - 1))

End If

Next

End If

'------ End Impersonation ------
ImpersonateContext.Undo()

Members.Sort()

Return Members

End Function



.

Relevant Pages