Last post Mar 16, 2013 10:56 PM by Angie xu - MSFT
Mar 11, 2013 08:34 AM|magnusb999|LINK
That AccountManagement is slower than using DirectoryServices or DirectoryServices.Protocols (which I have worked most with) isn't a big surprise. But in many cases it is good enough. However there is one thing which I don't understand why it is so slow
and that is using userprincipal.GetGroups(). For example in my test environment it will take about 2.3 sec on a user with 1(!) group. Another user with about 100 groups take about 5 sec.
If I use the form with GetGroups(PrincipalContext) and passing a context where I only look at the OU the user's grups are in (which is actually what I want to do in this case since all the group memberships I am interested in is in that ou) then performance
is what I expect, at least for the user with only one group. The user with 100 groups still take about 1 sec to get groups for (and in that case it will return no groups at all since it has no groups in that ou).
I guess that it will run a query for each group in memberof or something instead of doing an attribute scoped query.
Doing the oppsite, i.e to get all members of a group is reasonable fast (listing 100 members take about 100 ms).
Mar 11, 2013 05:18 PM|magnusb999|LINK
For other struggling:
One thing you might do if you only need the DN of groups and not any other attributes in each group then you can do something like this:
DirectoryEntry de = user.GetUnderlyingObject() as DirectoryEntry;
foreach (var dn in de.Properties["memberof"])
Or use DirectoryService / Protocols and do a attribute scoped query if you need other attributes of groups. But in my case I only needed the DN.
Note that you will not get primary group automatically when using directoryservices/protocols (or for that matter when using any other generic ldap tool).
Mar 16, 2013 10:56 PM|Angie xu - MSFT|LINK
why it is so slow and that is using userprincipal.GetGroups().
Userprincipal.GetGroups returns a collection of group objects that specify the groups of which the current principal is a member. (Inherited from Principal.). and you could learn the mechanism of Userprincipal.GetGroups below,
This method returns only the groups of which the principal is directly a member; no recursive searches are performed. Recursive search results are available for user principal objects.
The groups that are returned by this method may include groups from a different scope and store than the principal. For example, if the principal is an AD DS object that has a DN of "CN=SpecialGroups,DC=Fabrikam,DC=com, the returned set can contain groups
that belong to the "CN=NormalGroups,DC=Fabrikam,DC=com.
If the current principal is an AD DS principal, the returned groups include the principals primary group, as indicated by the "primaryGroupId" attribute on the AD DS object.
hope it helpful to you,