Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Active Directory: Retrieve User information

I've got a web application that is running against Windows Authentication using our Active Directory. I've got a new requirement to pull some personal information through from the Active Directory entry. What would be the easiest way to get access to this information?

like image 382
Chris Canal Avatar asked Sep 25 '08 09:09

Chris Canal


People also ask

How do I retrieve user information in Active Directory?

Active Directory auditing stores user logon history details in event logs on domain controllers. Therefore, the most straightforward option to get user logons is to filter out all Security events in the Windows Event Viewer and find the target user account and logon type.

How do I see user attributes in Active Directory?

To view and edit all user, group, or computer attributes in AD you can use PowerShell cmdlets from the RSAT-AD-PowerShell module instead of the Attribute Editor GUI. To view the values of all object attributes: of a user: Get-ADUser username -Properties * of a computer: Get-ADComputer computername -Properties *

How do I get user attributes in Active Directory using PowerShell?

To use PowerShell to get an AD user object attributes, we will be using the Property parameter. The Property parameter accepts one or more comma-separated attributes to show with the output. Below we will see an example of using Get-ADUser to find all properties for a specific user account.

Where is get-ADUser?

By default, Get-AdUser will run under the context of the logged-on user. But you can also provide alternative credentials using the Credential parameter. For more information on credentials, check out Using the PowerShell Get-Credential cmdlet and all things credentials.


2 Answers

Accessing the user directly through a DirectoryEntry seems like the most straightforward approach. Here are some AD-related tidbits I learned from my first AD-related project:

  • In a URI, write LDAP in lowercase. Otherwise you'll get a mystery error. I spent more than a day on this depressing issue...
  • To clear a single-valued property, set it to an empty string, not null. Null causes an exception.
  • To clear a multi-valued property, use the DirectoryEntry.Property.Clear() method.
  • The Active Directory schema reference will say which data type a value will be and whether it is multi-value or single-value.
  • You do not need to manually RefreshCache() on a Directoryentry but if you ever use it and specify which properties to cache, know that it will not auto-retrieve any other properties in the future.
  • A COMException can be thrown at absolutely any time you use the classes in System.DirectoryServices. Keep an eye on those try blocks. Do not assume anything is safe.

You'll probably need to use DirectorySearcher to get your user's directory entry if you don't know its path (which you wouldn't, just by having him logged in). Using it was fairly easy but beware of the quirks in LDAP syntax; namely, having to encode non-ASCII (and other?) characters. The search string you'd use would probably be something like: (&(sAMAccountName=whatever)(class=user)). This is off the top of my head and may be slightly incorrect.

The Active Directory schema reference will be useful. Do understand that the schema can be modified and extended (e.g. installing Exchange will add mailbox information to users).

AD Explorer is a useful tool which you can use for debugging and low-level AD data management. I've found it useful when I know which property I want to set but cannot find the right dialog box in the AD management tool.

like image 74
Sander Avatar answered Sep 23 '22 21:09

Sander


You might find the following snippet useful as a starter.

public static bool IsUserInGroup(string lanid, string group)
{
    DirectoryEntry entry = new DirectoryEntry("LDAP://" + LDAPPATH);
    if(entry != null)
    {
        entry.Username=@"LDAPUSER";
        entry.Password="LDAPPASSWORD";
        DirectorySearcher srch = new DirectorySearcher(entry);
        srch.Filter = String.Format("(&(objectClass=person)(sAMAccountName={0}))", lanid);
        srch.PropertiesToLoad.Add("memberOf");

        SearchResult result = srch.FindOne();
        if(result != null)
        {
            if(result.Properties.Contains("memberOf"))
            {
                string lookfor = String.Format("cn={0},", group.ToLower());
                foreach(string memberOf in result.Properties["memberOf"])
                {
                    if(memberOf.ToLower().StartsWith(lookfor))
                        return true;
                }
            }
        }
        return false;
    }
    throw new Exception(String.Format("Could not get Directory lanid:{0}, group{1}",   lanid, group));
}
like image 37
paul Avatar answered Sep 22 '22 21:09

paul