By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,853 Members | 995 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,853 IT Pros & Developers. It's quick & easy.

Properly using directorysearcher to find a user in an AD Group

P: n/a
I'm trying to do a check to see if a specific active directory user account
exists in active directory AND a specific group. I can't seem to get the
filter down right.

I can do this to find a matching name in active directory:

================================================
Dim oroot As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.local")
Dim osearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim oresult As SearchResultCollection
Dim result As SearchResult

osearcher.Filter = "(&(sAMAccountName=jsmith))"
oresult = osearcher.FindAll

For Each result In oresult
If Not result.GetDirectoryEntry.Properties("SAMAccountNam e").Value Is
Nothing Then
Response.Write(result.GetDirectoryEntry.Properties ("SAMAccountName").Value
& "<br />")
End If
Next

'This results in "jsmith' being printed to the screen (if jsmith exists in
active directory)
================================================

I can do this to find a specific group name:

================================================
Dim oroot As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.local")
Dim osearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim oresult As SearchResultCollection
Dim result As SearchResult

osearcher.Filter = "(&(objectCategory=Group)(sAMAccountName=Domai n Admins))"
oresult = osearcher.FindAll

For Each result In oresult
If Not result.GetDirectoryEntry.Properties("SAMAccountNam e").Value Is
Nothing Then
Response.Write(result.GetDirectoryEntry.Properties ("SAMAccountName").Value
& "<br />")
End If
Next

'This results in "Domain Admins' being printed to the screen
================================================

I can even change the osearcher.filter to just (sAMAccountName=Domain
Admins) and get the same result.

I'm trying to figure out how I can return the result (say, the user name
(samaccountname)) if the search paramater is both in AD and in the specific
group (or just the specific group).

My goal is to do a check like this (pseudocode):

================================================
Dim strUser as string = Request.ServerVariables("AUTH_USER")

Dim strADUser = osearcher.Filter = "(&(sAMAccountName=" & strUser & "))"

If strUser = strADUser Then
Page.Redirect(ToSomePage)
Else
Page.Redirect(ToFailedPage)
End If
================================================

I Also need to check to see if they're in a specific group. I don't know how
I'd go about that. If, for instance, they're in the Sales group in AD, then
I could redirect them to the appropriate page. I could also, of course, keep
them out of other pages if they don't belong.

TIA,
Jim

Mar 13 '08 #1
Share this Question
Share on Google+
2 Replies


P: n/a
On Mar 13, 6:57*pm, "Jim in Arizona" <tiltow...@hotmail.comwrote:
I'm trying to do a check to see if a specific active directory user account
exists in active directory AND a specific group. I can't seem to get the
filter down right.

I can do this to find a matching name in active directory:

================================================
Dim oroot As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.local")
Dim osearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim oresult As SearchResultCollection
Dim result As SearchResult

osearcher.Filter = "(&(sAMAccountName=jsmith))"
oresult = osearcher.FindAll

For Each result In oresult
*If Not result.GetDirectoryEntry.Properties("SAMAccountNam e").Value Is
Nothing Then
* Response.Write(result.GetDirectoryEntry.Properties ("SAMAccountName").Value
& "<br />")
*End If
Next

'This results in "jsmith' being printed to the screen (if jsmith exists in
active directory)
================================================

I can do this to find a specific group name:

================================================
Dim oroot As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.local")
Dim osearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim oresult As SearchResultCollection
Dim result As SearchResult

osearcher.Filter = "(&(objectCategory=Group)(sAMAccountName=Domai n Admins))"
oresult = osearcher.FindAll

For Each result In oresult
*If Not result.GetDirectoryEntry.Properties("SAMAccountNam e").Value Is
Nothing Then
* Response.Write(result.GetDirectoryEntry.Properties ("SAMAccountName").Value
& "<br />")
*End If
Next

'This results in "Domain Admins' being printed to the screen
================================================

I can even change the osearcher.filter to just (sAMAccountName=Domain
Admins) and get the same result.

I'm trying to figure out how I can return the result (say, the user name
(samaccountname)) if the search paramater is both in AD and in the specific
group (or just the specific group).

My goal is to do a check like this (pseudocode):

================================================
Dim strUser as string = Request.ServerVariables("AUTH_USER")

Dim strADUser = *osearcher.Filter = "(&(sAMAccountName=" & strUser& "))"

If strUser = strADUser Then
* *Page.Redirect(ToSomePage)
Else
* *Page.Redirect(ToFailedPage)
End If
================================================

I Also need to check to see if they're in a specific group. I don't know how
I'd go about that. If, for instance, they're in the Sales group in AD, then
I could redirect them to the appropriate page. I could also, of course, keep
them out of other pages if they don't belong.

TIA,
Jim
Domain Admins is an object with distinguishedName (a key to identify
this object). For example, it can look like this

"CN=Domain Admins,OU=Domain Groups,DC=corp,DC=com"

As you can see, it defines the path to the root

corp.com
---- Domain Groups
---------- Domain Admins

So, to find the user you should call the following filter

(&(sAMAccountName=jsmith)(memberOf=CN=Domain Admins,OU=Domain
Groups,DC=corp,DC=com))
Mar 13 '08 #2

P: n/a
On Mar 13, 8:18*pm, "Jim in Arizona" <tiltow...@hotmail.comwrote:
I'm hoping that if any of the searches were successful, they're username
(sAMAccountName) would show up on the screen.

I'm not sure what to do to fix this. What am I doing wrong?
Jim, that's definitely because of the wrong memberOf value. I'm not
sure how your application is supposed to work but you can do
following:

1) Download and install LDAP browser (for example, like the one I'm
using from http://www.ldapbrowser.com/download.htm). Connect to your
domain and check what memberOf you have in reality

2) Find group's distinguishedName dynamically using a new
DirectorySearcher.

The search filter for finding group you already know:

"(&(objectCategory=group)(sAMAccountName=" + groupName + "))"

where the group name is the name of the group you wanted to check
(e.g. "Domain Admins")

[pseudocode:]

Dim gsearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim gresult As SearchResultCollection
Dim result As SearchResult

gsearcher.Filter = "(&(objectCategory=group)(sAMAccountName=" +
groupName + "))"
gresult = gsearcher.FindAll

Dim dn As String

dn = gResult(0).Properties("distinguishedname")(0).ToSt ring

After that you can use this dn as a value for the final search

"(&(sAMAccountName=" & username & ")(memberOf=" & dn & "))"
Mar 16 '08 #3

This discussion thread is closed

Replies have been disabled for this discussion.