querying AD users   

hello,

i havent done any research on this yet and about to, but i wanted to
see if anyone had any recommended links on programmaticly working w/
AD users. (namely, looking up all users that begin w/ a certain
letter, or getting back a list of users matching a first name, etc..)

im building a UI that allows my admin-users to manage other users, its
going to be used for securing access to parts of our apps.


thanks, and ill post what i find.

sm

date: Sat, 5 Jul 2008 14:45:07 -0700 (PDT)   author:   SpaceMarine

Re: querying AD users   

looks like the DirectoryServices class is where its at for this. the
DirectorySearcher class is used for, well, searching the directory.
there is a .Filter prop for passing in queries:

http://msdn.microsoft.com/en-us/library/system.directoryservices.directorysearcher.filter.aspx

...now i just gotta figure out the proper filter. its LDAP syntax. to
get all users w/ a last name of "A", i think its something like:

    .Filter = "(objectClass=user)(lastName >= A)"


sm

date: Sun, 6 Jul 2008 09:44:26 -0700 (PDT)   author:   SpaceMarine

Re: querying AD users   

On Jul 6, 11:44 am, SpaceMarine  wrote:

>     .Filter = "(objectClass=user)(lastName >= A)"

actually asterik wildcards are supported, so its probably more like

   lastName = A*

...will have to play around w/ it in the office.

sm

date: Sun, 6 Jul 2008 09:50:39 -0700 (PDT)   author:   SpaceMarine

Re: querying AD users   

On Jul 6, 6:50 pm, SpaceMarine  wrote:
> On Jul 6, 11:44 am, SpaceMarine  wrote:
>
> >     .Filter = "(objectClass=user)(lastName >= A)"
>
> actually asterik wildcards are supported, so its probably more like
>
>    lastName = A*
>
> ...will have to play around w/ it in the office.
>
> sm

Note, that if you run it from the ASP.NET application on a server, in
most cases you may need to implement impersonation in the application,
before you access the AD.

http://support.microsoft.com/kb/306158

date: Mon, 7 Jul 2008 11:29:47 -0700 (PDT)   author:   Alexey Smirnov

Re: querying AD users   

On Jul 6, 6:50 pm, SpaceMarine  wrote:
> On Jul 6, 11:44 am, SpaceMarine  wrote:
>
> >     .Filter = "(objectClass=user)(lastName >= A)"
>
> actually asterik wildcards are supported, so its probably more like
>
>    lastName = A*
>
> ...will have to play around w/ it in the office.
>
> sm

ping

date: Mon, 7 Jul 2008 12:14:17 -0700 (PDT)   author:   Alexey Smirnov

Re: querying AD users   

On Jul 7, 1:29 pm, Alexey Smirnov  wrote:

> Note, that if you run it from the ASP.NET application on a server, in
> most cases you may need to implement impersonation in the application,
> before you access the AD.

well, id like to avoid impersonation if possible. if my DirectoryEntry
class is instantiated w/ an optional username & password in its
constructor (a service account given to me by our AD admin), then
would i no longer need to impersonate?


sm

date: Mon, 7 Jul 2008 20:53:34 -0700 (PDT)   author:   SpaceMarine

Re: querying AD users   

On Mon, 7 Jul 2008 20:53:34 -0700 (PDT), SpaceMarine  wrote:

¤ On Jul 7, 1:29 pm, Alexey Smirnov  wrote:
¤ 
¤ > Note, that if you run it from the ASP.NET application on a server, in
¤ > most cases you may need to implement impersonation in the application,
¤ > before you access the AD.
¤ 
¤ well, id like to avoid impersonation if possible. if my DirectoryEntry
¤ class is instantiated w/ an optional username & password in its
¤ constructor (a service account given to me by our AD admin), then
¤ would i no longer need to impersonate?

As long as your ASP.NET app is running under an account that has sufficient permissions to query AD
then you should be fine. W/o impersonation, the default account would be ASPNET (2000, XP) or
NetworkService (2003 or higher). You can also configure your ASP.NET app to run under a custom least
privilege account.

With respect to syntax you would want to include the "and" operator in your query as well:

 .Filter = "(&(objectClass=user)(lastName = A*))"

The following link should help you with LDAP query syntax:

http://msdn.microsoft.com/en-us/library/aa746475.aspx


Paul
~~~~
Microsoft MVP (Visual Basic)

date: Tue, 08 Jul 2008 10:50:48 -0500   author:   Paul Clement

Re: querying AD users   

On Jul 8, 5:50 pm, Paul Clement
 wrote:
> On Mon, 7 Jul 2008 20:53:34 -0700 (PDT), SpaceMarine  wrote:
>
> ¤ On Jul 7, 1:29 pm, Alexey Smirnov  wrote:
> ¤
> ¤ > Note, that if you run it from the ASP.NET application on a server, in
> ¤ > most cases you may need to implement impersonation in the application,
> ¤ > before you access the AD.
> ¤
> ¤ well, id like to avoid impersonation if possible. if my DirectoryEntry
> ¤ class is instantiated w/ an optional username & password in its
> ¤ constructor (a service account given to me by our AD admin), then
> ¤ would i no longer need to impersonate?
>
> As long as your ASP.NET app is running under an account that has sufficient permissions to query AD
> then you should be fine. W/o impersonation, the default account would be ASPNET (2000, XP) or
> NetworkService (2003 or higher). You can also configure your ASP.NET app to run under a custom least
> privilege account.
>
> With respect to syntax you would want to include the "and" operator in your query as well:
>
>  .Filter = "(&(objectClass=user)(lastName = A*))"
>
> The following link should help you with LDAP query syntax:
>
> http://msdn.microsoft.com/en-us/library/aa746475.aspx
>

sm, you can also move the code for AD to a separated class library
DLL, and refer to it from your main ASP.NET application. You would
need to register that DLL as a COM component (Administrative Tools -
Component Services) using an account that has sufficient permissions
to query AD. In this case you would not need to make an impersonation
within your application and all request to AD would go through the COM

date: Wed, 9 Jul 2008 05:25:58 -0700 (PDT)   author:   Alexey Smirnov