How to get members of an Active Directory group with C# .NET

by sporter 4. April 2011 03:23

I recently had to retrieve members of an Active Directory group so that I could allow users of my software to select groups of Employees to send email to. After searching around and trying to get my LDAP query right, I came up with the following solution:

        public List GetGroupMemberNames(string groupName, bool descendRecursively)
        {
            List names = new List();
            DirectoryEntry root = new DirectoryEntry(@"LDAP://CN=" + groupName + ",CN=Users,DC=mydomain,DC=com");
            object members = root.Invoke("Members", null);
            foreach (object member in (IEnumerable)members)
            {
                // x.Properties["key"] can return a simple object or a PropertyValueCollection.  See implementation below.
                string objectCategory = ActiveDirectory.GetProperty(x.Properties["objectCategory"]);
                string samAccountName = ActiveDirectory.GetProperty(x.Properties["sAMAccountName"]);

                if (Regex.IsMatch(objectCategory, @"CN=Group") && recursive)
                {
                    // recursively descend to get user names from the discovered group
                    List childNames = GetGroupMemberNames(samAccountName, descendRecursively);
                    names.AddRange(childNames);
                }
                else
                {
                    names.Add(samAccountName);
                }
            }

            return names;
        }



        // Returns the ToString() of the object
        // Or, if the object is of type PropertyValueCollection, it returns a comma-separated list of the ToString()
        // of each object
        private static string GetProperty(object obj)
        {
            string str = string.Empty;

            if (obj is PropertyValueCollection)
            {
                foreach (object child in ((PropertyValueCollection)obj))
                {
                    string tempStr = GetProperty(child);
                    if (!string.IsNullOrEmpty(tempStr))
                    {
                        str += (string.IsNullOrEmpty(str) ? "" : ",") + tempStr;
                    }
                }
            }
            else if (obj != null)
            {
                str = obj.ToString();
            }

            return str;
        }

 

This code requires that the account under which it is running has adequate permissions to perform the LDAP query in Active Directory. One more thing, the following is a non-comprehensive list of keys you can look for in x.Properties above:

objectCategory,

sAMAccountName,

userPrincipalName,

displayName,

dn,

cn,

givenname,

homedrive,

profilepath,

sn,

objectClass,

name,

description,

mail

Here is a more exhaustive list of Active Directory object attributes.

Tags: , ,

.NET | C#

Add comment


(Will show your Gravatar icon)

  Country flag

biuquote
  • Comment
  • Preview
Loading