Adding and Removing Users from AD Groups

August 3, 2007 11:48 by Shaun

Many organisations use their Active Directory services to assign security policies to their internal software and the one I’m currently working for is no different. The web application I’m currently developing extracts the username from the HTTP header and then queries the Active Directory service to see if that user belongs to a particular AD group. I have been implementing functionality to allow the application to add and remove users from this group and I thought I’d give a brief overview of how this is done…

The first thing you need is a service account username and password that has full control of the AD group you wish to modify, you can then implement the following to add a user to this group, just plug in the correct strings for your particular setup:

public void AddUserToRAPSGroup(string userName)
{
   //Retrieve entry using LDAP
   DirectoryEntry LDAPentry = new DirectoryEntry("LDAP://" + <AD Server Name>);
   LDAPentry.Username = <AD Server Name> + @"\" + <AD Username>;
   LDAPentry.Password = <AD Password>;

   //Set up a search object using the userName as a filter
   DirectorySearcher dsUser = new DirectorySearcher();
   dsUser.SearchRoot = LDAPentry;
   dsUser.PropertyNamesOnly = true;
   dsUser.PropertiesToLoad.Add("sAMAccountName");
   dsUser.Filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" + userName + "))";

   //execute the search and retrieve the user
   SearchResult srUser = dsUser.FindOne();
   DirectoryEntry deUser = srUser.GetDirectoryEntry();

   //now get the ad group
   DirectorySearcher dsGroup = new DirectorySearcher();
   dsGroup.SearchRoot = LDAPentry;
   dsGroup.Filter = "(&(objectClass=group) (cn=" + <AD GroupName> + "))";
   SearchResultCollection results = dsGroup.FindAll();
   bool isGroupMember = false;
   if (results.Count > 0)
   {
DirectoryEntry group = GetDirectoryEntry(results[0].Path);

object members = group.Invoke("Members",null);
foreach ( object member in (IEnumerable) members)
{
   DirectoryEntry x = new DirectoryEntry(member);
   if (x.Name != deUser.Name)
   {
isGroupMember = false;
   }
   else
{
isGroupMember = true;
break;
   }
}

if (!isGroupMember)
{
   group.Invoke("Add", new object[] {deUser.Path.ToString()});
}

group.Close();
   }
}

Tags: Tags: active directory
Categories: .NET
Actions: E-mail | Permalink | Comments (2) | Comment RSS RSS comment feed

Broadband WoesFreezing GridView Headers and ColumnsCommandField Causing IsPostback = False

Comments

January 1. 2008 13:05

Thanks for the code, but remember to Dispose() your SearchResultCollection, and your DirectorySearcher, either in a try/catch/finally block, or by using the using clause...

;-)

papabear

March 5. 2008 20:10

Just wanted to say thanks for helping me solve a bug I spent 13 hours working on with this section of your code: object members = group.Invoke("Members",null);
foreach ( object member in (IEnumerable) members)
{
DirectoryEntry x = new DirectoryEntry(member);

I used x.Path to help me figure out what the path should be for future members (based on pre-existing members)

Thanks!
John

John

Add comment

Name*
E-mail* (Will show your Gravatar icon)
Website
Country

Comment*

Live preview

May 17. 2008 07:37

Adding and Removing Users from AD Groups

Related posts

Comments

Add comment

Live preview

Search

Photos

Tags

Categories

Blogroll