User and Group Information in AD

Continuing our Active Directory theme from the last post, I wanted to follow up on locating the groups that users belong to or groups you’d like to add to a user account.  These examples will also continue with using the .Net 3.5 DirectoryServices.AccountManagement namespace since there is quite a bit less code than using the methods for .Net 2.0.

So, the first example deals with getting all of the groups of a user account. Some of the code you might have already seen.

UserPrincipal user = null;
//Create a PrincipleContext that will search the full domain
//ie not just the site's user OU
//FQDC = Fully Qualified Domain Controller
string userName = "MyUserToSearch";
using (var context = new PrincipalContext(ContextType.Domain, FQDC))
{
    try
    {
        if ((user = UserPrincipal.FindByIdentity(context, userName)) != null)
        {
            // Search for current groups
            PrincipalSearchResult<Principal> groups = user.GetGroups();

            // Iterate group membership
            foreach (GroupPrincipal g in groups)
            {
                Console.WriteLine(g.Name);
            }
        }
    }
}

Now we know how to grab the group information for a user, but what if we want to remove a group?

UserPrincipal user = null;
//Create a PrincipleContext that will search the full domain
//ie not just the site's user OU
//FQDC = Fully Qualified Domain Controller
string userName = "MyUserToSearch";
using (var context = new PrincipalContext(ContextType.Domain, FQDC))
{
    try
    {
        if ((user = UserPrincipal.FindByIdentity(context, userName)) != null)
        {
            // Search for current groups
            PrincipalSearchResult<Principal> groups = user.GetGroups();

            // Iterate group membership and remove IT_Dept group
            foreach (GroupPrincipal g in groups)
            {
                if (g.Name == "IT_Dept")
                {
                    g.Members.Remove(user);
                    g.Save();
                }
            }
        }
    }
}

Finally, adding a new group is a little different.

UserPrincipal user = null;
//Create a PrincipleContext that will search the full domain
//ie not just the site's user OU
//FQDC = Fully Qualified Domain Controller

string userName = "MyUserToSearch";
using (var context = new PrincipalContext(ContextType.Domain, FQDC))
{
    try
    {
        if ((user = UserPrincipal.FindByIdentity(context, userName)) != null)
        {
            // Add user to new group
            string groupName = "GroupToAddUser";
            using (var group = GroupPrincipal.FindByIdentity(context, IdentityType.Name, groupName))
            {
                // Verify user is not currently a member and save
                if (!group.Members.Contains(user))
                {
                    group.Members.Add(user);
                    group.Save();
                }
            }
        }
    }
}

Here we search for the group name explicitly, check that the user isn’t already in it and then add the user.  Pretty simple stuff.

Leave a Reply

    • Daniel, the Principal Members.Add method can be overloaded as follows to allow the addition of a group to a group.

      group.Members.Add(principalContext, IdentityType.Name, “GroupName”)

      Of course the code above can be adjusted to search for and manipulate a group instead of a user.

      LMK if that doesn’t answer your question.