473,692 Members | 1,902 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Properly using directorysearch er to find a user in an AD Group

I'm trying to do a check to see if a specific active directory user account
exists in active directory AND a specific group. I can't seem to get the
filter down right.

I can do this to find a matching name in active directory:

=============== =============== =============== ===
Dim oroot As DirectoryEntry = New DirectoryEntry( "LDAP://my.domain.local ")
Dim osearcher As DirectorySearch er = New DirectorySearch er(oroot)
Dim oresult As SearchResultCol lection
Dim result As SearchResult

osearcher.Filte r = "(&(sAMAccountN ame=jsmith))"
oresult = osearcher.FindA ll

For Each result In oresult
If Not result.GetDirec toryEntry.Prope rties("SAMAccou ntName").Value Is
Nothing Then
Response.Write( result.GetDirec toryEntry.Prope rties("SAMAccou ntName").Value
& "<br />")
End If
Next

'This results in "jsmith' being printed to the screen (if jsmith exists in
active directory)
=============== =============== =============== ===

I can do this to find a specific group name:

=============== =============== =============== ===
Dim oroot As DirectoryEntry = New DirectoryEntry( "LDAP://my.domain.local ")
Dim osearcher As DirectorySearch er = New DirectorySearch er(oroot)
Dim oresult As SearchResultCol lection
Dim result As SearchResult

osearcher.Filte r = "(&(objectCateg ory=Group)(sAMA ccountName=Doma in Admins))"
oresult = osearcher.FindA ll

For Each result In oresult
If Not result.GetDirec toryEntry.Prope rties("SAMAccou ntName").Value Is
Nothing Then
Response.Write( result.GetDirec toryEntry.Prope rties("SAMAccou ntName").Value
& "<br />")
End If
Next

'This results in "Domain Admins' being printed to the screen
=============== =============== =============== ===

I can even change the osearcher.filte r to just (sAMAccountName =Domain
Admins) and get the same result.

I'm trying to figure out how I can return the result (say, the user name
(samaccountname )) if the search paramater is both in AD and in the specific
group (or just the specific group).

My goal is to do a check like this (pseudocode):

=============== =============== =============== ===
Dim strUser as string = Request.ServerV ariables("AUTH_ USER")

Dim strADUser = osearcher.Filte r = "(&(sAMAccountN ame=" & strUser & "))"

If strUser = strADUser Then
Page.Redirect(T oSomePage)
Else
Page.Redirect(T oFailedPage)
End If
=============== =============== =============== ===

I Also need to check to see if they're in a specific group. I don't know how
I'd go about that. If, for instance, they're in the Sales group in AD, then
I could redirect them to the appropriate page. I could also, of course, keep
them out of other pages if they don't belong.

TIA,
Jim

Mar 13 '08 #1
2 26863
On Mar 13, 6:57*pm, "Jim in Arizona" <tiltow...@hotm ail.comwrote:
I'm trying to do a check to see if a specific active directory user account
exists in active directory AND a specific group. I can't seem to get the
filter down right.

I can do this to find a matching name in active directory:

=============== =============== =============== ===
Dim oroot As DirectoryEntry = New DirectoryEntry( "LDAP://my.domain.local ")
Dim osearcher As DirectorySearch er = New DirectorySearch er(oroot)
Dim oresult As SearchResultCol lection
Dim result As SearchResult

osearcher.Filte r = "(&(sAMAccountN ame=jsmith))"
oresult = osearcher.FindA ll

For Each result In oresult
*If Not result.GetDirec toryEntry.Prope rties("SAMAccou ntName").Value Is
Nothing Then
* Response.Write( result.GetDirec toryEntry.Prope rties("SAMAccou ntName").Value
& "<br />")
*End If
Next

'This results in "jsmith' being printed to the screen (if jsmith exists in
active directory)
=============== =============== =============== ===

I can do this to find a specific group name:

=============== =============== =============== ===
Dim oroot As DirectoryEntry = New DirectoryEntry( "LDAP://my.domain.local ")
Dim osearcher As DirectorySearch er = New DirectorySearch er(oroot)
Dim oresult As SearchResultCol lection
Dim result As SearchResult

osearcher.Filte r = "(&(objectCateg ory=Group)(sAMA ccountName=Doma in Admins))"
oresult = osearcher.FindA ll

For Each result In oresult
*If Not result.GetDirec toryEntry.Prope rties("SAMAccou ntName").Value Is
Nothing Then
* Response.Write( result.GetDirec toryEntry.Prope rties("SAMAccou ntName").Value
& "<br />")
*End If
Next

'This results in "Domain Admins' being printed to the screen
=============== =============== =============== ===

I can even change the osearcher.filte r to just (sAMAccountName =Domain
Admins) and get the same result.

I'm trying to figure out how I can return the result (say, the user name
(samaccountname )) if the search paramater is both in AD and in the specific
group (or just the specific group).

My goal is to do a check like this (pseudocode):

=============== =============== =============== ===
Dim strUser as string = Request.ServerV ariables("AUTH_ USER")

Dim strADUser = *osearcher.Filt er = "(&(sAMAccountN ame=" & strUser& "))"

If strUser = strADUser Then
* *Page.Redirect( ToSomePage)
Else
* *Page.Redirect( ToFailedPage)
End If
=============== =============== =============== ===

I Also need to check to see if they're in a specific group. I don't know how
I'd go about that. If, for instance, they're in the Sales group in AD, then
I could redirect them to the appropriate page. I could also, of course, keep
them out of other pages if they don't belong.

TIA,
Jim
Domain Admins is an object with distinguishedNa me (a key to identify
this object). For example, it can look like this

"CN=Domain Admins,OU=Domai n Groups,DC=corp, DC=com"

As you can see, it defines the path to the root

corp.com
---- Domain Groups
---------- Domain Admins

So, to find the user you should call the following filter

(&(sAMAccountNa me=jsmith)(memb erOf=CN=Domain Admins,OU=Domai n
Groups,DC=corp, DC=com))
Mar 13 '08 #2
On Mar 13, 8:18*pm, "Jim in Arizona" <tiltow...@hotm ail.comwrote:
I'm hoping that if any of the searches were successful, they're username
(sAMAccountName ) would show up on the screen.

I'm not sure what to do to fix this. What am I doing wrong?
Jim, that's definitely because of the wrong memberOf value. I'm not
sure how your application is supposed to work but you can do
following:

1) Download and install LDAP browser (for example, like the one I'm
using from http://www.ldapbrowser.com/download.htm). Connect to your
domain and check what memberOf you have in reality

2) Find group's distinguishedNa me dynamically using a new
DirectorySearch er.

The search filter for finding group you already know:

"(&(objectCateg ory=group)(sAMA ccountName=" + groupName + "))"

where the group name is the name of the group you wanted to check
(e.g. "Domain Admins")

[pseudocode:]

Dim gsearcher As DirectorySearch er = New DirectorySearch er(oroot)
Dim gresult As SearchResultCol lection
Dim result As SearchResult

gsearcher.Filte r = "(&(objectCateg ory=group)(sAMA ccountName=" +
groupName + "))"
gresult = gsearcher.FindA ll

Dim dn As String

dn = gResult(0).Prop erties("disting uishedname")(0) .ToString

After that you can use this dn as a value for the final search

"(&(sAMAccountN ame=" & username & ")(memberOf =" & dn & "))"
Mar 16 '08 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

10
9868
by: Fabrizio | last post by:
(Sorry for the crosspost, but I really don't know which is the right newsgroup!) Hi all, I try to change the password to a user that as to change the password at first logon: try {
1
5053
by: Prasad Karunakaran | last post by:
I am using the C# DirectoryEntry class to retrieve the Properties of an user object in the Active Directory. I need to get the First Name and Last Name as properties. I know it is not supported with the ADSI NT Provider and only supported in the LDAP Provider. So given an UserId (UID) how can I read the First Name and Last Name using LDAP Provider. If anybody can help me with a C# sample code it would of great help. Thanks in advance.
3
2310
by: Gonçalo Boléo | last post by:
How do i list the groups a user belong using AD? thanks, Gonçalo Boléo
0
346
by: Shawn Melton | last post by:
I am trying to do in order Create an Use Commit Change Set Passwor *Set Password No Expir *Set Cant Change Passwor Commit Change *Enable Use Commit Change
0
959
by: dhnriverside | last post by:
Hi guys I'm allowing users to search my SQL database for Projects created by a certain user. The user login stuff is all stored in AD. Atm, I can get it to work so that if they type the full name "Dan Nash" for example, it returns all the Projects I created. However, it's a tad long-winded.
0
1215
by: Shaun via .NET 247 | last post by:
Hi there, I have a problem with System.DirectoryServices.DirectorySearcher . I have a VB.Net Web Application containing a web form which has on it a text box, a list box and a button. The form loads, user types part of a name into the text box and upon clicking the button fills the list box with AD usernames. This works fine if I call the page from the web server, but if I call the page from a client machine (logged on as same user) when...
1
5025
by: Derek Martin | last post by:
Hey list, got this code running in a webform: Dim DSESearcher As System.DirectoryServices.DirectorySearcher = New System.DirectoryServices.DirectorySearcher Dim RootDSE As String = DSESearcher.SearchRoot.Path RootDSE = RootDSE.Insert(7, "ou=users,ou=myusers,") Dim myDE As DirectoryEntry = New DirectoryEntry(RootDSE) Dim myEntries As DirectoryEntries = myDE.Children Dim thisentry As DirectoryEntry thisentry = myEntries.Find("cn=" &...
8
11988
by: Chris Noble | last post by:
I need to check whether a particular user is already a member of an Active Directory Security Group. The following code extract works but only if the user distinguished name is exactly the same as that returned from Active Directory. For example using 'cn=' in the userdn string instead of 'CN=' does not work. As far as I am aware Active Directory is not case sensitive and it is therefore difficult to predict the case of a string.
0
1600
by: Big Charles | last post by:
Hello, Programming in VS2003-ASP.NET 1.1, I have this problem: Using DirectoryEntry and without any admin user, how can I check if a domain account, that try to login, has expired? Scenario: User load web application and login using account and password of the Active Directory. But user account of ActiveDirectory has expired (or password could be expired). For security reason, we don't want to use any account with admin privilegies for...
0
8538
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9083
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
8960
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8797
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8800
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7627
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
4323
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
2972
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
1957
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.