Last post Aug 05, 2008 02:34 AM by maamir
Jul 13, 2008 11:30 AM|zano|LINK
I would like to search for all the users that are member of a security group, including the users in the nested groups.
I have a first algorithm that perform the search recursively (group by group) but as I am working with security groups I also tried to replace it with a single LDAP filter like that:
(&(objectCategory=User)(tokenGroups=<my root group SID>))
This throws an exception "The matching rule does not apply to the specified attribute type".
I don't know if I am using a bad syntax for my filter or if it is completly impossible to use tokenGroups in filters.
Thanks for any help,
Jul 31, 2008 06:07 AM|maamir|LINK
May be this code will be helpful to you.
result = search.FindOne();
drgroup = GroupData.NewRow();
// System.DirectoryServices.PropertyCollection propertycol;
// DirectoryEntry subentry = new DirectoryEntry("LDAP://"+ dn);
// propertycol = subentry.Properties;
// Object obj = propertycol["sAMAccountName"].Value;
// string userNam =(String)propertycol["displayName"].Value;
// string userid = obj.ToString();
Jul 31, 2008 08:23 AM|maamir|LINK
Sorry friends my mistake i hope this code will work for you.
Jul 31, 2008 09:05 AM|zano|LINK
Thanks for the help, I feeled a bit alone on this problem [:)]
I am looking at the opposite problem solved by your code.
For a given user, you find the groups he directly belongs to.
For my problem, I have a security group and I want to search all the users that belongs directly or indirectly to this group with as few LDAP queries as possible.
I still don't understand why I can't make a filter on the "tokenGroups" attribute while I can on other linked attributes.
By the way, you can simplify your code by adding "memberOf" in the PropertiesToLoad of the first search and skip the second (useless) search as "cn" and "memberOf" would be loaded in a single LDAP query instead of 2.
Aug 02, 2008 01:46 AM|johram|LINK
Hehe, it seems you have been fiddling with this for a while :)
Given a group, if you enumerate the multi-valued member attribute, you will get a DN list of members, including both nested groups and users. Problem here is that you won't be able to determine whether it is a group member or a user member. But maybe
this solution is sufficient for you?
Aug 02, 2008 02:43 AM|zano|LINK
That's already what I do, but recursively to find all the nested group members.
For exemple, if I have:
Group1 with members Group2 and User1
Group2 with members User2 and User3
I am looking for a simple way of finding all the users that belong directly or indirectly to Group1: User1, User2 and User3.
The problem with the "member" attribute is that it contains only the direct member. In my example, only Group2 and User1 for Group1.
That means a recursive search which needs many LDAP requests.
After some searches on the net, I found the "tokenGroups" attribute which contains for a given user, all the SID of the groups he belongs directly or indirectly.
For my example, it's like:
User1 with tokenGroups Group1SID
User2 with tokenGroups Group1SID and Group2SID
User3 with tokenGroups Group1SID and Group2SID
My problem could be solved by a simple search like (&(objectCategory=User)(tokenGroup=Group1SID)) but I have an exception "The matching rule does not apply to the specified attribute type".
And that's where I am seeking some help. Is it possible to use "tokenGroup" in a filter? If not, I have to use the "member" attribute (but which is costly). If yes, do you know of to define the filter correctly?
I am really interested in the "tokenGroups" solution, because of performances and also because it allows more complex searches with other criterias on the users or with 2 groups at the same time. For example (&(objectCategory=User)(tokenGroup=Group1SID)(tokenGroup=Group3SID)(manager=someone)).
Aug 05, 2008 02:34 AM|maamir|LINK
May be this code will help you i am still trying the way you want.
dn = (
propertycol = subentry.Properties;