User and Group Information in AD
Continuing our Active Directory theme from the last post, I wanted to follow up on locating the groups that users belong to or groups you’d like to add to a user account. These examples will also continue with using the .Net 3.5 DirectoryServices.AccountManagement namespace since there is quite a bit less code than using the methods for .Net 2.0.
So, the first example deals with getting all of the groups of a user account. Some of the code you might have already seen.
UserPrincipal user = null; //Create a PrincipleContext that will search the full domain //ie not just the site's user OU //FQDC = Fully Qualified Domain Controller string userName = "MyUserToSearch"; using (var context = new PrincipalContext(ContextType.Domain, FQDC)) { try { if ((user = UserPrincipal.FindByIdentity(context, userName)) != null) { // Search for current groups PrincipalSearchResult<Principal> groups = user.GetGroups(); // Iterate group membership foreach (GroupPrincipal g in groups) { Console.WriteLine(g.Name); } } } }
Now we know how to grab the group information for a user, but what if we want to remove a group?
UserPrincipal user = null; //Create a PrincipleContext that will search the full domain //ie not just the site's user OU //FQDC = Fully Qualified Domain Controller string userName = "MyUserToSearch"; using (var context = new PrincipalContext(ContextType.Domain, FQDC)) { try { if ((user = UserPrincipal.FindByIdentity(context, userName)) != null) { // Search for current groups PrincipalSearchResult<Principal> groups = user.GetGroups(); // Iterate group membership and remove IT_Dept group foreach (GroupPrincipal g in groups) { if (g.Name == "IT_Dept") { g.Members.Remove(user); g.Save(); } } } } }
Finally, adding a new group is a little different.
UserPrincipal user = null; //Create a PrincipleContext that will search the full domain //ie not just the site's user OU //FQDC = Fully Qualified Domain Controller string userName = "MyUserToSearch"; using (var context = new PrincipalContext(ContextType.Domain, FQDC)) { try { if ((user = UserPrincipal.FindByIdentity(context, userName)) != null) { // Add user to new group string groupName = "GroupToAddUser"; using (var group = GroupPrincipal.FindByIdentity(context, IdentityType.Name, groupName)) { // Verify user is not currently a member and save if (!group.Members.Contains(user)) { group.Members.Add(user); group.Save(); } } } } }
Here we search for the group name explicitly, check that the user isn’t already in it and then add the user. Pretty simple stuff.
Any way to add a group inside another group to build a hierarchy?
Daniel, the Principal Members.Add method can be overloaded as follows to allow the addition of a group to a group.
group.Members.Add(principalContext, IdentityType.Name, “GroupName”)
Of course the code above can be adjusted to search for and manipulate a group instead of a user.
LMK if that doesn’t answer your question.
Hi Chris,
Very useful post.
Thank you so much.
Best Regards,
Thet