Login/Register
Get the list of Groups for the given UserPrincipal
Asked Answered
c#active-directoryuserprincipal
L

2

9

I want to get the list of groups which the user is in.

This is my code:

PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "mydomain.ac.uk",   "DC=mydomain,DC=AC,DC=UK", "user", "password");

UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "MyUser");

PrincipalSearchResult<Principal> results = user.GetGroups();

foreach(Principal p in results)
{
   Response.Write(p.Name);
}

When I run, I got the following error at the line Response.Write(p.Name);

System.Runtime.InteropServices.COMException: The specified directory service attribute or value does not exist.

When I checked the count of the results, it returned 9 and the first group is DomainUsers.

How can I iterate all 9 groups in the list? Thanks.

The following is the list of users I get:

enter image description here

Lenardlenci answered 20/4, 2012 at 10:15 Comment(7)
how you initialize PrincipalContext?Educatee
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "mydomain.ac.uk", "DC=mydomain,DC=AC,DC=UK", "user", "password");Lenardlenci
The name attribute may not have been populated (perhaps because it was from a different domain than the one you queried??). Try asking for the DisplayName or DistinguishedName or SamAccountName or SID.Busy
I have tried these name but the error is still the same. When I checked in the debug view, the following is the error I get: Name ( '((System.DirectoryServices.AccountManagement.Principal)((new System.Linq.SystemCore_EnumerableDebugView<System.DirectoryServices.AccountManagement.Principal>(results)).Items[1])).Name' threw an exception of type 'System.Runtime.InteropServices.COMException' )Lenardlenci
I guess it's because your "user" account doesn't have enough permission to read the group objects. Do you see DistinguishName attribute and Guid attribute?Lay
i have the same error - i get the collection of groups, but can't get their properties. did you solve this problem?Ljoka
@Ljoka var theDirectoryEntry = groupPrincipal.GetUnderlyingObject(); then theDirectoryEntry.Properties["propertyName"].Value as ???. Of course you'll have to iterate through the collection of group principals.Rhoades
C
6

When omitting the LDAP container property as described in PrincipalContext Class, the user running the code must have read permissions to both the default User Container (i.e. CN=Users,DC=yourDomain,DC=COM) and the Computers Container (i.e. CN=Computers,DC=yourDomain,DC=COM).

If the user does not have the required permissions you will get the following error messages:

The specified directory service attribute or value does not exist

  • ‘context.Container’ threw an exception of type ‘System.NullReferenceException’ string {System.NullReferenceException}

  • ((new System.Linq.SystemCore_EnumerableDebugView(groups)).Items[5]).Description’ threw an exception of type ‘System.Runtime.InteropServices.COMException’ string {System.Runtime.InteropServices.COMException}

Cacoepy answered 5/8, 2014 at 13:13 Comment(3)
If someone deletes the computers container in the domain in question, you will get this error as well. For heaven's sake... Someone deleted the thing.Antonina
Anyone attempting to use this.RequestContext.Principal.IsInRole("ad group name") and it always returns false with no exception thrown, this is a possible cause. Restoring the CN and permissions fixed this for me.Antonina
The link to the blog seems to be broken.Tenebrific
R
1

try something like 

foreach(Principal p in results)
{ 
   if (p is GroupPrincipal) 
      Response.Write(p.DisplayName); 
}

I know it sounds dumb, but it has worked for me in the past. Your results look like it only actually found 1 security group and 8 "other" types of groups. Those "other" groups may not possess those attributes.

Rhoades answered 4/9, 2012 at 22:6 Comment(1)
For me, the name was better (DisplayName was empty: user.GetGroups().OfType<GroupPrincipal>().Select(p => p.Name));Aduwa

© 2022 - 2024 — McMap. All rights reserved.