I've got a web application that is running against Windows Authentication using our Active Directory. I've got a new requirement to pull some personal information through from the Active Directory entry. What would be the easiest way to get access to this information?
Active Directory auditing stores user logon history details in event logs on domain controllers. Therefore, the most straightforward option to get user logons is to filter out all Security events in the Windows Event Viewer and find the target user account and logon type.
To view and edit all user, group, or computer attributes in AD you can use PowerShell cmdlets from the RSAT-AD-PowerShell module instead of the Attribute Editor GUI. To view the values of all object attributes: of a user: Get-ADUser username -Properties * of a computer: Get-ADComputer computername -Properties *
To use PowerShell to get an AD user object attributes, we will be using the Property parameter. The Property parameter accepts one or more comma-separated attributes to show with the output. Below we will see an example of using Get-ADUser to find all properties for a specific user account.
By default, Get-AdUser will run under the context of the logged-on user. But you can also provide alternative credentials using the Credential parameter. For more information on credentials, check out Using the PowerShell Get-Credential cmdlet and all things credentials.
Accessing the user directly through a DirectoryEntry seems like the most straightforward approach. Here are some AD-related tidbits I learned from my first AD-related project:
You'll probably need to use DirectorySearcher to get your user's directory entry if you don't know its path (which you wouldn't, just by having him logged in). Using it was fairly easy but beware of the quirks in LDAP syntax; namely, having to encode non-ASCII (and other?) characters. The search string you'd use would probably be something like: (&(sAMAccountName=whatever)(class=user)). This is off the top of my head and may be slightly incorrect.
The Active Directory schema reference will be useful. Do understand that the schema can be modified and extended (e.g. installing Exchange will add mailbox information to users).
AD Explorer is a useful tool which you can use for debugging and low-level AD data management. I've found it useful when I know which property I want to set but cannot find the right dialog box in the AD management tool.
You might find the following snippet useful as a starter.
public static bool IsUserInGroup(string lanid, string group)
{
DirectoryEntry entry = new DirectoryEntry("LDAP://" + LDAPPATH);
if(entry != null)
{
entry.Username=@"LDAPUSER";
entry.Password="LDAPPASSWORD";
DirectorySearcher srch = new DirectorySearcher(entry);
srch.Filter = String.Format("(&(objectClass=person)(sAMAccountName={0}))", lanid);
srch.PropertiesToLoad.Add("memberOf");
SearchResult result = srch.FindOne();
if(result != null)
{
if(result.Properties.Contains("memberOf"))
{
string lookfor = String.Format("cn={0},", group.ToLower());
foreach(string memberOf in result.Properties["memberOf"])
{
if(memberOf.ToLower().StartsWith(lookfor))
return true;
}
}
}
return false;
}
throw new Exception(String.Format("Could not get Directory lanid:{0}, group{1}", lanid, group));
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With