Menu
I checked this post already. But it doesn't answer my question. I want to get all the active directory groups in which a particular user is a member.
I've written the following code. But I'm not able to proceed further as I don't know how to give the filter and how to access the properties.
class Program { static void Main(string[] args) { DirectoryEntry de = new DirectoryEntry("LDAP://mydomain.com"); DirectorySearcher searcher = new DirectorySearcher(de); searcher.Filter = "(&(ObjectClass=group))"; searcher.PropertiesToLoad.Add("distinguishedName"); searcher.PropertiesToLoad.Add("sAMAccountName"); searcher.PropertiesToLoad.Add("name"); searcher.PropertiesToLoad.Add("objectSid"); SearchResultCollection results = searcher.FindAll(); int i = 1; foreach (SearchResult res in results) { Console.WriteLine("Result" + Convert.ToString(i++)); DisplayProperties("distinguishedName", res); DisplayProperties("sAMAccouontName", res); DisplayProperties("name", res); DisplayProperties("objectSid", res); Console.WriteLine(); } Console.ReadKey(); } private static void DisplayProperties(string property, SearchResult res) { Console.WriteLine("\t" + property); ResultPropertyValueCollection col = res.Properties[property]; foreach (object o in col) { Console.WriteLine("\t\t" + o.ToString()); } } } Any ideas?
881
Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Active Directory - State-in-Time" → Select "User Accounts - Group Membership"→ Click 'View". To save the report, click the "Export" button → Choose a format from the dropdown menu → Click "Save".
In the properties window for the user account, switch to the “Member Of” tab. This tab shows you the local groups to which the user account belongs, and also lets you add the account to other groups.
To find AD groups with PowerShell, you can use the Get-ADGroup cmdlet. With no parameters, Get-ADGroup will query AD and return all groups in a domain using the Filter parameter. The Filter parameter is required. It exists to limit the groups returned based on various criteria.
You should use System.DirectoryServices.AccountManagement. It's much easier. Here is a nice code project article giving you an overview on all the classes in this DLL.
As you pointed out, your current approach doesn't find out the primary group. Actually, it's much worse than you thought. There are some more cases that it doesn't work, like the domain local group from another domain. You can check here for details. Here is how the code looks like if you switch to use System.DirectoryServices.AccountManagement. The following code can find the immediate groups this user assigned to, which includes the primary group.
UserPrincipal user = UserPrincipal.FindByIdentity(new PrincipalContext (ContextType.Domain, "mydomain.com"), IdentityType.SamAccountName, "username"); foreach (GroupPrincipal group in user.GetGroups()) { Console.Out.WriteLine(group); } Use tokenGroups:
DirectorySearcher ds = new DirectorySearcher(); ds.Filter = String.Format("(&(objectClass=user)(sAMAccountName={0}))", username); SearchResult sr = ds.FindOne(); DirectoryEntry user = sr.GetDirectoryEntry(); user.RefreshCache(new string[] { "tokenGroups" }); for (int i = 0; i < user.Properties["tokenGroups"].Count; i++) { SecurityIdentifier sid = new SecurityIdentifier((byte[]) user.Properties["tokenGroups"][i], 0); NTAccount nt = (NTAccount)sid.Translate(typeof(NTAccount)); //do something with the SID or name (nt.Value) } Note: this only gets security groups
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
