Properly using directorysearcher to find a user in an AD Group

  • Thread starter Thread starter Jim in Arizona
  • Start date Start date
J

Jim in Arizona

I'm trying to do a check to see if a specific active directory user account
exists in active directory AND a specific group. I can't seem to get the
filter down right.

I can do this to find a matching name in active directory:

================================================
Dim oroot As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.local")
Dim osearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim oresult As SearchResultCollection
Dim result As SearchResult

osearcher.Filter = "(&(sAMAccountName=jsmith))"
oresult = osearcher.FindAll

For Each result In oresult
If Not result.GetDirectoryEntry.Properties("SAMAccountName").Value Is
Nothing Then
Response.Write(result.GetDirectoryEntry.Properties("SAMAccountName").Value
& "<br />")
End If
Next

'This results in "jsmith' being printed to the screen (if jsmith exists in
active directory)
================================================

I can do this to find a specific group name:

================================================
Dim oroot As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.local")
Dim osearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim oresult As SearchResultCollection
Dim result As SearchResult

osearcher.Filter = "(&(objectCategory=Group)(sAMAccountName=Domain Admins))"
oresult = osearcher.FindAll

For Each result In oresult
If Not result.GetDirectoryEntry.Properties("SAMAccountName").Value Is
Nothing Then
Response.Write(result.GetDirectoryEntry.Properties("SAMAccountName").Value
& "<br />")
End If
Next

'This results in "Domain Admins' being printed to the screen
================================================

I can even change the osearcher.filter to just (sAMAccountName=Domain
Admins) and get the same result.

I'm trying to figure out how I can return the result (say, the user name
(samaccountname)) if the search paramater is both in AD and in the specific
group (or just the specific group).

My goal is to do a check like this (pseudocode):

================================================
Dim strUser as string = Request.ServerVariables("AUTH_USER")

Dim strADUser = osearcher.Filter = "(&(sAMAccountName=" & strUser & "))"

If strUser = strADUser Then
Page.Redirect(ToSomePage)
Else
Page.Redirect(ToFailedPage)
End If
================================================

I Also need to check to see if they're in a specific group. I don't know how
I'd go about that. If, for instance, they're in the Sales group in AD, then
I could redirect them to the appropriate page. I could also, of course, keep
them out of other pages if they don't belong.

TIA,
Jim
 
I'm trying to do a check to see if a specific active directory user account
exists in active directory AND a specific group. I can't seem to get the
filter down right.

I can do this to find a matching name in active directory:

================================================
Dim oroot As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.local")
Dim osearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim oresult As SearchResultCollection
Dim result As SearchResult

osearcher.Filter = "(&(sAMAccountName=jsmith))"
oresult = osearcher.FindAll

For Each result In oresult
 If Not result.GetDirectoryEntry.Properties("SAMAccountName").Value Is
Nothing Then
  Response.Write(result.GetDirectoryEntry.Properties("SAMAccountName").Value
& "<br />")
 End If
Next

'This results in "jsmith' being printed to the screen (if jsmith exists in
active directory)
================================================

I can do this to find a specific group name:

================================================
Dim oroot As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.local")
Dim osearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim oresult As SearchResultCollection
Dim result As SearchResult

osearcher.Filter = "(&(objectCategory=Group)(sAMAccountName=Domain Admins))"
oresult = osearcher.FindAll

For Each result In oresult
 If Not result.GetDirectoryEntry.Properties("SAMAccountName").Value Is
Nothing Then
  Response.Write(result.GetDirectoryEntry.Properties("SAMAccountName").Value
& "<br />")
 End If
Next

'This results in "Domain Admins' being printed to the screen
================================================

I can even change the osearcher.filter to just (sAMAccountName=Domain
Admins) and get the same result.

I'm trying to figure out how I can return the result (say, the user name
(samaccountname)) if the search paramater is both in AD and in the specific
group (or just the specific group).

My goal is to do a check like this (pseudocode):

================================================
Dim strUser as string = Request.ServerVariables("AUTH_USER")

Dim strADUser =  osearcher.Filter = "(&(sAMAccountName=" & strUser& "))"

If strUser = strADUser Then
   Page.Redirect(ToSomePage)
Else
   Page.Redirect(ToFailedPage)
End If
================================================

I Also need to check to see if they're in a specific group. I don't know how
I'd go about that. If, for instance, they're in the Sales group in AD, then
I could redirect them to the appropriate page. I could also, of course, keep
them out of other pages if they don't belong.

TIA,
Jim

Domain Admins is an object with distinguishedName (a key to identify
this object). For example, it can look like this

"CN=Domain Admins,OU=Domain Groups,DC=corp,DC=com"

As you can see, it defines the path to the root

corp.com
---- Domain Groups
---------- Domain Admins

So, to find the user you should call the following filter

(&(sAMAccountName=jsmith)(memberOf=CN=Domain Admins,OU=Domain
Groups,DC=corp,DC=com))
 
Domain Admins is an object with distinguishedName (a key to identify
this object). For example, it can look like this

"CN=Domain Admins,OU=Domain Groups,DC=corp,DC=com"

As you can see, it defines the path to the root

corp.com
---- Domain Groups
---------- Domain Admins

So, to find the user you should call the following filter

(&(sAMAccountName=jsmith)(memberOf=CN=Domain Admins,OU=Domain
Groups,DC=corp,DC=com))

--------------------------------------------------------------------------------

Thanks for responding, Alexey.

So far, whatever it is i'm trying, it isn't bring anything up other than a
blank page.

Assuming our domain name is corp.mydomain.net I've tried these different
approaches:


osearcher.Filter = "(&(sAMAccountName=jsmith)(memberOf=CN=Domain
Admins,OU=Domain Groups,DC=corp, DC=mydomain, DC=net))"
jsmith is a member of Domain Admins in the case above. This returns a blank
page.

osearcher.Filter = "(&(sAMAccountName=jsmith)(memberOf=CN=Domain
Admins,OU=Users,DC=corp, DC=mydomain, DC=net))"
I tried the OU being Users here because the Domain Admins group is actually
in the builtin OU called Users. Still a blank page.

osearcher.Filter =
"(&(sAMAccountName=jdoe)(memberOf=CN=Users,OU=Users,DC=corp, DC=mydomain,
DC=net))"
Jane Doe (jdoe) is in the Users OU, which is the default OU installed with
AD. Again, just returns a blank page.

osearcher.Filter = "(&(sAMAccountName=jdoe)(memberOf=CN=Users))"
This doesn't work either but no errors are returned, just a blank page.


I'm hoping that if any of the searches were successful, they're username
(sAMAccountName) would show up on the screen.

I'm not sure what to do to fix this. What am I doing wrong?

Thansk Again,
Jim
 
I'm hoping that if any of the searches were successful, they're username
(sAMAccountName) would show up on the screen.

I'm not sure what to do to fix this. What am I doing wrong?

Jim, that's definitely because of the wrong memberOf value. I'm not
sure how your application is supposed to work but you can do
following:

1) Download and install LDAP browser (for example, like the one I'm
using from http://www.ldapbrowser.com/download.htm). Connect to your
domain and check what memberOf you have in reality

2) Find group's distinguishedName dynamically using a new
DirectorySearcher.

The search filter for finding group you already know:

"(&(objectCategory=group)(sAMAccountName=" + groupName + "))"

where the group name is the name of the group you wanted to check
(e.g. "Domain Admins")

[pseudocode:]

Dim gsearcher As DirectorySearcher = New DirectorySearcher(oroot)
Dim gresult As SearchResultCollection
Dim result As SearchResult

gsearcher.Filter = "(&(objectCategory=group)(sAMAccountName=" +
groupName + "))"
gresult = gsearcher.FindAll

Dim dn As String

dn = gResult(0).Properties("distinguishedname")(0).ToString

After that you can use this dn as a value for the final search

"(&(sAMAccountName=" & username & ")(memberOf=" & dn & "))"
 
Back
Top