User and Group Information in AD

Continuing our Active Directory theme from the last post, I wanted to follow up on locating the groups that users belong to or groups you’d like to add to a user account. These examples will also continue with using the .Net 3.5 DirectoryServices.AccountManagement namespace since there is quite a bit less code than using the methods for .Net 2.0.

So, the first example deals with getting all of the groups of a user account. Some of the code you might have already seen.

UserPrincipal user = null;
//Create a PrincipleContext that will search the full domain
//ie not just the site's user OU
//FQDC = Fully Qualified Domain Controller
string userName = "MyUserToSearch";
using (var context = new PrincipalContext(ContextType.Domain, FQDC))
{
    try
    {
        if ((user = UserPrincipal.FindByIdentity(context, userName)) != null)
        {
            // Search for current groups
            PrincipalSearchResult<Principal> groups = user.GetGroups();

            // Iterate group membership
            foreach (GroupPrincipal g in groups)
            {
                Console.WriteLine(g.Name);
            }
        }
    }
}

Now we know how to grab the group information for a user, but what if we want to remove a group?

UserPrincipal user = null;
//Create a PrincipleContext that will search the full domain
//ie not just the site's user OU
//FQDC = Fully Qualified Domain Controller
string userName = "MyUserToSearch";
using (var context = new PrincipalContext(ContextType.Domain, FQDC))
{
    try
    {
        if ((user = UserPrincipal.FindByIdentity(context, userName)) != null)
        {
            // Search for current groups
            PrincipalSearchResult<Principal> groups = user.GetGroups();

            // Iterate group membership and remove IT_Dept group
            foreach (GroupPrincipal g in groups)
            {
                if (g.Name == "IT_Dept")
                {
                    g.Members.Remove(user);
                    g.Save();
                }
            }
        }
    }
}

Finally, adding a new group is a little different.

UserPrincipal user = null;
//Create a PrincipleContext that will search the full domain
//ie not just the site's user OU
//FQDC = Fully Qualified Domain Controller

string userName = "MyUserToSearch";
using (var context = new PrincipalContext(ContextType.Domain, FQDC))
{
    try
    {
        if ((user = UserPrincipal.FindByIdentity(context, userName)) != null)
        {
            // Add user to new group
            string groupName = "GroupToAddUser";
            using (var group = GroupPrincipal.FindByIdentity(context, IdentityType.Name, groupName))
            {
                // Verify user is not currently a member and save
                if (!group.Members.Contains(user))
                {
                    group.Members.Add(user);
                    group.Save();
                }
            }
        }
    }
}

Here we search for the group name explicitly, check that the user isn’t already in it and then add the user. Pretty simple stuff.

Tags: Active Directory, C#

Friday, August 26th, 2011 C#

3 Comments to User and Group Information in AD

Daniel says:

October 8, 2013 at 11:41 am

Any way to add a group inside another group to build a hierarchy?

Chris says:

October 11, 2013 at 9:00 pm

Daniel, the Principal Members.Add method can be overloaded as follows to allow the addition of a group to a group.

group.Members.Add(principalContext, IdentityType.Name, “GroupName”)

Of course the code above can be adjusted to search for and manipulate a group instead of a user.

LMK if that doesn’t answer your question.

Reply

Thet Tin Oo says:

May 7, 2015 at 9:31 pm

Hi Chris,
Very useful post.
Thank you so much.

Best Regards,
Thet

codingChris

Just a little place for me

User and Group Information in AD

3 Comments to User and Group Information in AD

Leave a Reply to Daniel

Meta

Categories

Subscribe to Blog via Email