Email Password Remember me?  Lost your password?

• Download demo project - 14.5 Kb
• Download source (Visual Studio 2003) - 15.7 Kb
• Download source (Visual Studio 2002) - 17 Kb

Introduction

This article describes how to use .NET framework to manage resources under Windows Active Directory Services. Microsoft provides ADSI (Active Directory Services Interface) which can interact with many providers including IIS (Internet Information Services), LDAP (Lightweight Directory Access Protocol), WinNT and NDS (Novell Netware Directory Service).
Since my aim is to demonstrate the usage of .NET DirectoryService classes I am restricting the demo project to querying some commonly used resources (computers, users and printers) in the domain where the user's machine is, at the same time demonstrating the power of Active Directory services and the ease with which Active Directory objects can be retrieved.

I have also used LDAP in this demo since I thought that it will be useful to know this protocol as it is a platform independent protocol.

There are different ways to query the Active Directory Services in a C# program

• using the ADSI through COM Interop. For this, in the Visual Studio C# project go to "Add References..." and select the COM tab and select Active DS Type Library from the list. Add using ActiveDs; statement to the top of your file or use fully qualified class names to access ADSI functions.
• Using the Active Directory Services OleDB Provider (ADsDSOObject). This approach is mostly useful to add Active Directory as a linked server in SQL Server. This subject is out of scope for the present article, I will discuss how to query Active Directory using the ADS OleDB provider in a different article.
• Using the classes provided under .NET System.DirectoryServices namespace. To access these classes add System.DirectoryServices.dll to the references. This article demonstrates this approach.

.NET System.DirectoryServices namespace

The System.DirectoryServices namespaces provides two important classes DirectoryEntry and DirectorySearcher to work with the Active Directory. The DirectoryEntry class represents a resource in the Active Directory and the DirectorySearcher class is used to query the Active Directory. The other classes under this namespace are for .NET security and collection classes to support the above said main classes.
You have to add System.DirectoryServices to your references by selecting System.DirectoryServices.dll from .NET tab in the Add Reference dialog box.

LDAP format filter strings

The DirectorySearcher class uses a search root which is a server where the search begins and a LDAP filter string (which is analogous to where clause in SQL) to query the Active Directory resources. LDAP format filter strings are similar to LISP. A condition is enclosed by parenthesis and an operator precedes 2 conditions. Eg. (& (A)(B)) The statement is equivalent to saying A and B. Remember the parenthesis. Another example (| (& (A)(B) ) (C) ) should be interpreted as (A and B) or (C).

The OLAP conditional statements are formed by using Active Directory attributes like name, objectCategory, objectClass, printerName, ListedName etc. For eg. to query for a list of printers the condition would be (objectCategory=printQueue) where objectCategory is an attribute and printQueue is the value expected to be assigned to a printer resource in Active Directory. Similary to query for all printers which start with a character 'G' the LDAP query would be (& (objectCategory=printQueue) (name=G*) ) In the above filter observe that the values do not have quotes (' or ") around them.

Using the code

The demo project demonstrates how to query the Active Directory Services and fetch different objects. The LDAP queries and the usage of .NET classes used are confined to QueryObjectsByNETClasses() and GetFilterString() methods.

The following code in QueryObjectsByNETClasses() method creates a DirectorySearcher object and sets properties on the searcher depending on the user preferences given in the main form. The description of different properties is in the comments in the code. Only "name" is added to the PropertiesToLoad property of DirectorySearcher class to save time as we are only interested in retrieving name and objectClass for the list of objects returned.

    DirectorySearcher ds = new DirectorySearcher();
    ds.SearchRoot = new DirectoryEntry("");    
      // start searching from local domain

    ds.Filter = GetFilterString();        
      // get the LDAP filter string based on selections on the form

    ds.PropertyNamesOnly = true;        
      // this will get names of only those 

      // properties to which a value is set

    ds.PropertiesToLoad.Add("name");

    // (PageSize) Maximum number of objects 

    // the server will return per page

    // in a paged search. Default is 0, i.e. no paged search

    if (ObjsPerPage.Text.Length > 0) 
        ds.PageSize = Int32.Parse(ObjsPerPage.Text);

    // (ServerPageTimeLimit) the amount of time the server

    // should observe to search a page of results

    // default is -1, i.e. search indefinitely

    if (PageTimeLimit.Text.Length > 0) 
        ds.ServerPageTimeLimit = new TimeSpan((long)(Decimal.Parse(
            PageTimeLimit.Text) * TimeSpan.TicksPerSecond));

    // (SizeLimit) maximum number of objects the server 

    // returns in a search

    // default is 0 - interpreted as server 

    // set default limit of 1000 entries

    if (ObjsToFetch.Text.Length > 0) 
        ds.SizeLimit = Int32.Parse(ObjsToFetch.Text);

    // (ServerTimeLimit) amount of time that the server 

    // should observe in a search

    // default is -1 interpreted as server default limit of 120 seconds 

    if (TotalTimeLimit.Text.Length > 0) 
        ds.ServerTimeLimit = new TimeSpan((long)(Decimal.Parse(
           TotalTimeLimit.Text) * TimeSpan.TicksPerSecond));

    // (SearchScope) option to search one level or complete subtree

    // default is Subtree, so set this option only if oneLevel is selected

    if (searchOptionCB.SelectedIndex == 1)
        ds.SearchScope = SearchScope.OneLevel;

    // (CacheResults) property by default is true

    ds.CacheResults = CacheResultsCB.Checked;

    ds.ReferralChasing = ReferralChasingOption.None;

    if (SortResultsCB.Checked)
        ds.Sort = new SortOption("name", SortDirection.Ascending);

The FormFilter() and GetFilterString() functions are used to form the LDAP query strings (see the explaination for the format of these strings in the LDAP format filter strings section above). Mainly observe the placement of & and | operators before the lists. For a complete set of attributes on which the queries can be formed for different objects refer to the Active Directory Schema under MSDN here.

    // form a filter string for the search in LDAP format

    private string FormFilter(string objectCategory, string filter)
    {
        String result;
        result = String.Format("(&(objectCategory={0})(name={1}))", 
           objectCategory, filter);
        return result;
    }

    // this function forms the filter string based on the selected

    // objects on the form

    private string GetFilterString()
    {
        // form the filter string for directory search

        string filter = "";
        if (UsersCB.Checked)
            filter += FormFilter("user", UsersFilter.Text);
        if (ComputersCB.Checked)
            filter += FormFilter("computer", ComputersFilter.Text);
        if (PrintersCB.Checked)
            filter += FormFilter("printQueue", PrintersFilter.Text);

        // add all the above filter strings

        return "(|" + filter + ")";
    }

Important Points and Notes

• Use objectCategory attribute instead of objectClass where ever possible. Active Directory documentation mentions two things related to this issue :

• objectClass attribute can have multiple values. This can be a problem especially if you are retriving objectClass. You can end up with multiple values !
• objectCategory is an indexed attribute in Active Directory. So using objectCategory speeds up queries.

The second point is more important because all the examples given in MSDN use objectClass, whereas using objectCategory will speed up queries !

• If the list queried is too large then there is a possibility of a timeout. So don't be surprised if your query does not return the complete list. A point to be noted is that you cannot set a value to ServerTimeLimit larger than the default value of 120 seconds ! So if you are looking for all objects and your directory is too large it is better to query number of times by changing your LDAP filter string incrementally (for eg. a*, b* ..) and combining the results.
• Try to use PropertiesToLoad and PropertyNamesOnly properties of DirectorySearcher if you know what properties you are trying to retrieve. If PropertyNamesOnly is set to true, the query will fetch the names of only those properties for which a value is set. Giving names of properties to be loaded to PropertiesToLoad will reduce the fetch time. By default PropertiesToLoad is set to an empty StringCollection to fetch all the properties, and PropertyNamesOnly is set to false to retrieve all properties' names even if a value is not set. For eg. in my demo I have given "name" property to be loaded and set PropertyNamesOnly to true. Please note that even if not specified objectClass and objectCategory propertied are automatically loaded whenever an object is fetched.
• By default all the results of a Active Directory fetch are cached. Set the CacheResults property of DirectorySearcher to false to refresh the object cache on the local computer.

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

Version for Visual Studio 08 tbark 16:55 27 Jan '09   Could you come up with a version for Visual Studio 08 please? I get the error "Application has generated an exception that could not be handled. Process id=0xbd4 (3028), Thread id=0x7d4 (2004)." I think itmight be cos I dont have the older versions of Visual Studio. You think so? Sign In·View Thread·PermaLink 2.00/5 Re: Version for Visual Studio 08 CoderGirl42 13:15 26 Mar '09   Here's a creative solution... Write your own. Enjoy! Sign In·View Thread·PermaLink 1.00/5 How to get other information of the user dabuskol 21:49 2 Dec '08   I know the domain and username attached to the domain, how about other information such as telephone, department. is it available? Dabsukol Sign In·View Thread·PermaLink 1.00/5 User Creation Help Required (mukatys@yahoo.com) Asif Mukaty 21:38 17 Jun '08   I am using following code in VB its working fine with administrtor user loging but i change login from another user which have no administrative rights is return exception regrading unauthorized I change different authontication type but its not working anyone help me regarding this because I want to create user without given rights to user. Private Sub AddUser(ByVal login As String, ByVal password As String, ByVal fullName As String) Dim dirEntry As DirectoryEntry dirEntry = New DirectoryEntry("WinNT://" + Environment.MachineName + ",computer") Dim entries As DirectoryEntries = dirEntry.Children ' Set login name and full name. Dim newUser As DirectoryEntry = entries.Add(login, "User") newUser.Properties("FullName").Add(fullName) newUser.Properties("HomeDirectory").Add("c:\Documents and Settings") newUser.Properties("Description").Add("DARS Operator") ' User must change password at next logon (1 - true, 0 - false) newUser.Properties("PasswordExpired").Add(0) ' Password never expires. 'newUser.Properties("PasswordAge").Add(0) ' Set flags - User Cannot change password | Password never expires. newUser.Properties("Userflags").Add(&H40 Or &H10000) ' Set the password. Dim result As Object = newUser.Invoke("SetPassword", password) newUser.CommitChanges() ' Add user to the group "Members" Dim grp As DirectoryEntry = dirEntry.Children.Find("Dars Operator") If (Not grp Is Nothing) Then grp.Invoke("Add", New Object() {newUser.Path.ToString()}) End If End Sub Sign In·View Thread·PermaLink Solution for other LDAP servers wojtekp 20:53 22 Feb '08   LDAP Services provides a library that allows you to do the same thing, but connecting to any directory server (Novell, iPlanet, etc): http://www.ldapservices.com/Products/LdapClient.Net/Default.aspx[^] Sign In·View Thread·PermaLink 1.00/5 Can't open it b/c it says I have the wrong .Net runtime version bort1983 11:02 27 Jul '07   I have the latest! (v3.0) Please help. Thanks Sign In·View Thread·PermaLink 1.50/5 Active computers Mubshir Raza Ali 3:18 6 Jul '07   Hi, How do i get the active computers or users (computer on which some one has logon or all logged in users) on domain. Many Thanks, Mubshir Raza Ali ^^^^^^^^^^^^^^^^^^^^^^^ > www.born4code.com > forums.born4code.com > live.born4code.com Sign In·View Thread·PermaLink 1.50/5 Nested groups Refky Wahib 0:02 3 Apr '07   Hi Could you please? Tell me how could I query the active directory, for a user groups including all nested groups? In our structure, we add groups inside other groups then we are query the user if he belongs to specific group and normally is not direct group. Could you please help? Refky Wahib senior programmer, center for learning and innovation Sign In·View Thread·PermaLink 1.25/5 ldap filter size siedell 11:14 12 Dec '06   Does anyone know if there is a limit to the character size of a Search Filter, if any? Sign In·View Thread·PermaLink Excelente! (Great!) goarango 10:04 27 Nov '06   El mas completo ejemplo del tema que haya visto. (The best and complete sample about this theme). G.O. Arango Sign In·View Thread·PermaLink Thank you Sriram! ssudhaa 7:25 7 Nov '06   I was searching for the right filter to query ADSI. I was not getting the syntax right and spent a lot of time trying to figure it out before I bumped into your article. As always you are awesome!!! Sudhaa Subramanian Sign In·View Thread·PermaLink How I can get a good list of attributes and filter criteria? William Yeung 2:09 10 Oct '06   I want to get a list of attributes available for PropertiesToLoad- the one in SDK is very confusing... I don't really understand what it tries to say on that particular part. Sign In·View Thread·PermaLink 1.33/5 Re: How I can get a good list of attributes and filter criteria? Duoc BT 14:54 26 Oct '06   This should give you a list of property/value pairs. I used mypdc as it's my PDC but in most cases, it's not required. It can be a plain path: LDAP://DC=mydomain,DC=com,DC=au. DirectorySearcher searcher = new DirectorySearcher(); searcher.SizeLimit = 1000000; searcher.ServerTimeLimit = new TimeSpan(0, 1, 0); searcher.SearchRoot = new DirectoryEntry ("LDAP://mypdc/DC=mydomain,DC=com,DC=au"); // searcher.Filter = "(objectClass=group)"; searcher.Filter = "(objectClass=user)"; // searcher.Sort = new SortOption("Name", SortDirection.Ascending); using(SearchResultCollection results = searcher.FindAll()) { if (results != null) { PrintSearchResults(results); } } // using void PrintSearchResults(SearchResultCollection results) { foreach (SearchResult res in results) { using(DirectoryEntry de = res.GetDirectoryEntry()) { foreach (string propName in de.Properties.PropertyNames) { foreach (object val in de.Properties[propName]) { Console.Out.WriteLine(propName + "=" + val); } } } // using } } Sign In·View Thread·PermaLink 5.00/5 Delete user AD [modified] Bigbirdtung 1:33 6 Jun '06   great, you show me how to add user, so what about delete user? how we do it? -- modified at 22:17 Tuesday 6th June, 2006 Sign In·View Thread·PermaLink 1.40/5 Can't conect to DC from LAN Bigbirdtung 1:15 6 Jun '06   I can't conect to the DC from my PC(also Join domain). here it is: DirectoryEntry de = new DirectoryEntry("LDAP://DC=fbf,DC=com"); is that path wrong? how can i fix this? Thanks! BigBird Sign In·View Thread·PermaLink 2.00/5 Re: Can't conect to DC from LAN zohaibabrar 23:35 22 Sep '06   Try including the domain controller name in the LDAP string in the following format: DirectoryEntry de = new DirectoryEntry("LDAP://DomainControllerName/DC=fbf,DC=com"); Noman Juzar Lakdawala. Sign In·View Thread·PermaLink 1.00/5 Size Limit cavedog6 6:06 5 Jun '06   How do I query for more than 1000 records? I can't figure out how to get more than 1000 from the server. Sign In·View Thread·PermaLink Re: Size Limit andreas.eppinger 0:39 27 Jun '06   it's a serversetting. You can't get more records as the serversettings for sizelimit. Your Administrator must increase this value. Sign In·View Thread·PermaLink Re: Size Limit Marlon Rodriguez 17:46 20 Jul '06   Actually you can. Just using the pagesize and then using a while loop with getnextrow until you get the NO_MORE_DATA error. I'm not clear on this. There are more examples in the net I was trying to find one I read a while back about this. Sign In·View Thread·PermaLink 2.00/5 Re: Size Limit jportelas 8:41 29 Jan '07   How can an Administrator increase this value? jportelas Sign In·View Thread·PermaLink Re: Size Limit andreas.eppinger 10:55 29 Jan '07   To increase the maximum page size (MaxPageSize), use the Ntdsutil.exe tool. Take alook here: http://support.microsoft.com/default.aspx?scid=kb;en-us;315071&sd=tech Sign In·View Thread·PermaLink 4.00/5 Re: Size Limit jportelas 3:28 30 Jan '07   Thanks a lot Andreas! jportelas Sign In·View Thread·PermaLink LDAP Query for Groups in Active Directory chitransh 1:43 2 Jun '06   Hi, HOw to write query got getting all the groups defined in Active directory? I want to fetch all the groups from active directory. Thanx in advance chitransh@dotnet Sign In·View Thread·PermaLink 1.86/5 Re: LDAP Query for Groups in Active Directory vinodjnair 0:59 26 Sep '06   Here is the code to get all groups that are present in your AD having domain as x.y.z.com : DirectoryEntry objEntry = new DirectoryEntry("LDAP://DCName/OU=testOU,DC=x,DC=y,DC=z,DC=COM","username","password",AuthenticationTypes.Secure); DirectorySearcher searcher = new DirectorySearcher(objEntry); searcher.Filter = "(objectcategory=group)"; searcher.SearchScope = SearchScope.Subtree; searcher.PropertiesToLoad.Add("cn"); SearchResultCollection searchResults; searchResults = searcher.FindAll(); foreach (SearchResult result in searchResults) {       Console.WriteLine(result.Properties["cn"][0]); //do whatever you want to do with property value here } Console.Read() //waits for user input Cheers Vinod J. Nair TCS, Hyderabad Sign In·View Thread·PermaLink 5.00/5 Re: LDAP Query for Groups in Active Directory soup1983 10:18 18 Dec '06   I am trying to query an AD residing on a different server and came across your snippet. The following line caught my attention: DirectoryEntry objEntry = new DirectoryEntry("LDAP://DCName/OU=testOU,DC=x,DC=y,DC=z,DC=COM","username","password",AuthenticationTypes.Secure); Is there a way around hard coding the "username" and "password"? The last three parameters, are they even necessary for creating the DirectoryEntry instance? Thanks Sign In·View Thread·PermaLink 2.50/5

Last Visit: 10:49 22 Nov '09     Last Update: 10:49 22 Nov '09 12345 Next »