Can't .NET do ADSI/LDAP/WinNT with DirectoryServices?

Can't .NET do ADSI/LDAP/WinNT with DirectoryServices?

Post by Jerry Wor » Sun, 24 Nov 2002 06:11:30



Greetings,

I want to manage NTLM from the web.

Using WinNT, I query my Active Directory with this:

DirectoryEntry("WinNT://MYDOMAIN")

This returns what appears to be the top level AD object; it's children are all the other objects in the directory. Such as the "Users" group, and my own user account.

The problem is, when I want the users in a group:

DirectoryEntry("WinNT://MYDOMAIN/USERS")

The query's children collection (which i hoped would contain the users in the group) is empty.

So, I changed to using LDAP (even though I do not understand it):

DirectoryEntry("LDAP://MYDOMAIN")

Which returned a single child path of "Builtin." What is Builtin? I don't know, but I would love some enlightenment.

DirectoryEntry("LDAP://CN=Builtin,DC=MYDOMAIN,DC=com")

This around 8 children, one being:

DirectoryEntry("LDAP://CN=Users,CN=Builtin,DC=MYDOMAIN,DC=com")

I thought this might list all the users in my domain. The assumption seemed logical as the Users group contains all the users.

However, the children collection remains empty. (as a side note, so did the CN=Administrators and all the others, I tried them).

I have not successfully used LDAP to list all groups or users. Well, *- or anything else for that matter.

Is there no easy way to:

1. list domain users
2. list domain groups
3. list group members
4. add/remove/edit a user
5. add/remove/edit a group
6. add/remove user from a group

???

I would love sample code, but I could use some direction, to.

What's really frustrating is that I can do this in my sleep with COM and old-school ADSI.

Moreover, what's the deal with Builtin? Except the root object, No LDAP query will work if I omit it! Does no one but me have the Builtin nemesis?

DirectoryEntry("LDAP://CN=Users,CN=Builtin,DC=MYDOMAIN,DC=com")

I can list all domain groups using WinNT like this:

Dim oEntry As DirectoryEntry = New DirectoryEntry("WinNT://MYDOMAIN")
oEntry.Children.SchemaFilter.Add("group")
dataGrid.dataSource = oEntry.children

I can list all domain users using WinNT like this:

Dim oEntry As DirectoryEntry = New DirectoryEntry("WinNT://MYDOMAIN")
oEntry.Children.SchemaFilter.Add("user")
dataGrid.dataSource = oEntry.children

That doesn't help me list users in a group.

And who even knows how to list what groups a user is a member of?

?Am I going down the wrong path abandoning WinNT for LDAP? Seems like all the samples out there use LDAP so it /feels/ right, but I am yet to find the DirectoryServices best practice document. ;-) Or samples that actually work.

No help from these links (maybe they will help you):

http://www.veryComputer.com/
http://www.veryComputer.com/
http://www.veryComputer.com/
http://www.veryComputer.com/
http://www.veryComputer.com/
http://www.veryComputer.com/
http://www.veryComputer.com/
http://www.veryComputer.com/

I am trying to use the DirectoryServices namespace like a good .net developer but with no useful direction. MSDN/GotDotNet only helps so much.

Hopefully, you have ideas.

Thanks, Jerry

 
 
 

Can't .NET do ADSI/LDAP/WinNT with DirectoryServices?

Post by Joe Kapla » Sun, 24 Nov 2002 08:09:44


I haven't really figured out what you are supposed to be able to do with the Children property in DirectoryServices and I never use it.  However, given that you are on Active Directory and use LDAP, you have a lot of options because you can use the very powerful and easy DirectorySearcher object to do things like finding all groups or domain users and what not.

Here is a little piece of VB.NET code that should help you get a collection of all domain users.  By varying the LDAP filter, you can get groups or just about anything else.  LDAP filters are very powerful and worth learning about.

            Dim rootEntry As DirectoryEntry
            Dim searcher As DirectorySearcher
            Dim results As SearchResultCollection
            Dim result As SearchResult

            rootEntry = New DirectoryEntry(DC=MYDOMAIN,DC=com)

            searcher = New DirectorySearcher()
            searcher.SearchRoot = rootEntry
            searcher.PropertiesToLoad.AddRange(new String() {"distinguishedName"})
            searcher.SearchScope = SearchScope.Subtree
            searcher.PageSize = 1000
            searcher.ReferralChasing = ReferralChasingOption.None
            searcher.Filter = filter

            Try
                results = searcher.FindAll
            Catch e As System.Runtime.InteropServices.COMException
                Console.WriteLine(e.ToString())
                Return
            End Try

            For Each result In results
                Console.WriteLine("Distinguished Name: {0}", result.Properties("distinguishedName")(0).ToString())
            Next

To see the members in a group, you actually need to look at the member attribute of a group object, not its children as groups aren't container objects in AD (and only containers have children).

dim myGroup as DirectoryEntry
'instanciate myGroup to a valid group object in AD using its distinguished name....
myGroup = New DirectoryEntry("LDAP://cn=my group,ou=group ou,dc=mydomain,dc=com")
dim members as PropertyValueCollection
members = myGroup.Properties("member")
dim member as object
for each member in members
       console.writeline(member.ToString())
next

To see what groups a user is a member of, go to the user object and read its memberOf attribute (using the same kind of approach as above).  memberOf is populated by AD automatically based on the member attribute of group objects.

I have posted very recently a bunch of code samples that will show you how to do some of the stuff you asked for in .NET DirectoryServices with LDAP/AD, so try doing a Google search on this group for more samples.

I also suggest you spend some time poking around with AD Users and Computers and ADSI Edit (both available through the Win2K server admin pack on the Win2K server CD) to get more familiar with how AD is set up and how LDAP works.

Good luck,

Joe K.

  Greetings,

  I want to manage NTLM from the web.

  Using WinNT, I query my Active Directory with this:

  DirectoryEntry("WinNT://MYDOMAIN")

  This returns what appears to be the top level AD object; it's children are all the other objects in the directory. Such as the "Users" group, and my own user account.

  The problem is, when I want the users in a group:

  DirectoryEntry("WinNT://MYDOMAIN/USERS")

  The query's children collection (which i hoped would contain the users in the group) is empty.

  So, I changed to using LDAP (even though I do not understand it):

  DirectoryEntry("LDAP://MYDOMAIN")

  Which returned a single child path of "Builtin." What is Builtin? I don't know, but I would love some enlightenment.

  DirectoryEntry("LDAP://CN=Builtin,DC=MYDOMAIN,DC=com")

  This around 8 children, one being:

  DirectoryEntry("LDAP://CN=Users,CN=Builtin,DC=MYDOMAIN,DC=com")

  I thought this might list all the users in my domain. The assumption seemed logical as the Users group contains all the users.

  However, the children collection remains empty. (as a side note, so did the CN=Administrators and all the others, I tried them).

  I have not successfully used LDAP to list all groups or users. Well, *- or anything else for that matter.

  Is there no easy way to:

  1. list domain users
  2. list domain groups
  3. list group members
  4. add/remove/edit a user
  5. add/remove/edit a group
  6. add/remove user from a group

  ???

  I would love sample code, but I could use some direction, to.

  What's really frustrating is that I can do this in my sleep with COM and old-school ADSI.

  Moreover, what's the deal with Builtin? Except the root object, No LDAP query will work if I omit it! Does no one but me have the Builtin nemesis?

  DirectoryEntry("LDAP://CN=Users,CN=Builtin,DC=MYDOMAIN,DC=com")

  I can list all domain groups using WinNT like this:

  Dim oEntry As DirectoryEntry = New DirectoryEntry("WinNT://MYDOMAIN")
  oEntry.Children.SchemaFilter.Add("group")
  dataGrid.dataSource = oEntry.children

  I can list all domain users using WinNT like this:

  Dim oEntry As DirectoryEntry = New DirectoryEntry("WinNT://MYDOMAIN")
  oEntry.Children.SchemaFilter.Add("user")
  dataGrid.dataSource = oEntry.children

  That doesn't help me list users in a group.

  And who even knows how to list what groups a user is a member of?

  ?Am I going down the wrong path abandoning WinNT for LDAP? Seems like all the samples out there use LDAP so it /feels/ right, but I am yet to find the DirectoryServices best practice document. ;-) Or samples that actually work.

  No help from these links (maybe they will help you):

  http://www.veryComputer.com/
  http://www.veryComputer.com/
  http://www.veryComputer.com/
  http://www.veryComputer.com/
  http://www.veryComputer.com/
  http://www.veryComputer.com/
  http://www.veryComputer.com/
  http://www.veryComputer.com/

  I am trying to use the DirectoryServices namespace like a good .net developer but with no useful direction. MSDN/GotDotNet only helps so much.

  Hopefully, you have ideas.

  Thanks, Jerry

 
 
 

Can't .NET do ADSI/LDAP/WinNT with DirectoryServices?

Post by Joe Kapla » Sun, 24 Nov 2002 08:15:17


In the previous code sample, I forgot to give you the all-important ldap filter:

searcher.Filter = "(&(objectCategory=person)(objectClass=user))"

That will find all users under the search root given the search scope provided.

You could easily modify this query to get any object you want based on appropriate ldap filter syntax.

Sorry about that.

Joe K.

 
 
 

1. LDAP, Exchange 5.5, .NET, C#, System.DirectoryServices, smtp address

I'm trying to do something I would be quite simple, however, I've
spent the last 6 hours fumbling around with it and getting nowhereso
any help would be appreciated.

Goal:
   * Simply access the SMPT address or a users exchange account
   * Not use COM, CDONTS, Exchange SDK, etc only use
System.DirectoryServices
   * Supply a valid AD account last name, search for the most likely
match(s), return an array of email addresses, populate a dropdown box
with the choices.

Environment:
   * Win2k, Active Directory
   * NT4, Exchange 5.5 (trust w/ AD for accounts)
 --account names in AD are not the same as Exchange
 --I.e.  Exchange -> msmith
                AD  -> mike.smith
   * C#, .NET development environment

...Where is the "SMTP" or "Mail" property?...

The 'cn' in the 'adspath' and the 'distinguishedname' of the
SearchResult are not always usable; sometimes having HEX number - so
parsing the email out is no good.

Can this be done?...where should I look?

Thanks for any help in advance!

Mike

2. importing image in GUI???

3. ADSI DirectoryServices .NET beta 2 / C# Windows 2000 Server- Pro

4. Palm Pilot Icons for Windows?

5. 'Logon Failure' from ASP.NET app using DirectoryServices against Exchange 5.5 LDAP

6. 30 second

7. ADSI + ASP.NET (.NET Framework) System.Directoryservices

8. Highlight areas where you changed text?

9. C# + ADSI - DirectoryServices.dll + Window200 + .Net +

10. .NET doesn't recognize DirectoryServices namespace

11. ADSI LDAP Provider doesn't work on Windows NT 4.0 against Syntegra LDAP Server

12. ADSI LDAP, WinNT name space

13. Can't write using LDAP but can with WinNT????