Login/Register
Find out if a group in AD is in Distribution group?
Asked Answered
Solved asp.netactive-directorydistributionactive-directory-group
O

3

8

I'm using ASP.net with C# and have a very little idea about Active Directory. I've been given a task to write a program in steps below:

The ASP.net application is given the username of a user.

The application should query all the groups of the user with the given username.

Then the application should display these groups in two separate lists one consisting of the distribution groups and in other list, the rest of the groups.

Now, the querying for all the groups is easy. But how can I check whether the group is in distribution group or not?

I have not been given more information.

Any attribute or something I can check?

Odontalgia answered 1/11, 2011 at 4:31 Comment(0)
L
3

You can retreive this information from an attribute called Groupe-Type(last line).

(0x00000001) : Specifies a group that is created by the system.
(0x00000002) : Specifies a group with global scope.
(0x00000004) : Specifies a group with domain local scope.
(0x00000008) : Specifies a group with universal scope.
(0x00000010) : Specifies an APP_BASIC group for Windows Server Authorization Manager.
(0x00000020) : Specifies an APP_QUERY group fir Windows Server Authorization Manager.
(0x80000000) :Specifies a security group. If this flag is not set, then the group is a distribution group.

You can find in this answer or at the botton of this other one different ways to retreive groups a user belongs to.

You can find here how to retreive user.

Lebrun answered 1/11, 2011 at 5:47 Comment(1)
I'm not sure about your answer just yet. Because I haven't figured out what is going on there yet!!! But I don't ask you what you mean because I'd like to figure out myself since now I got time. Thanks a lot though.Odontalgia
N
4

This code will retrieve all your email enabled groups, regardless of whether it is a security or distribution group. (Having seen your comment to marc_s's answer, I'm guessing this is actually what your managers are looking for).

using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
    Principal prototype = new GroupPrincipal(ctx);
    PrincipalSearcher searcher = new PrincipalSearcher(prototype);
    List<string> groupNames = new List<string>();
    PropertyValueCollection email;

    foreach (var gp in searcher.FindAll()) using (gp)
    {
        GroupPrincipal group = gp as GroupPrincipal;

        using (DirectoryEntry groupEntry = ((DirectoryEntry)group.GetUnderlyingObject())
        {
          email = groupEntry.Properties["mail"];
          if (email.Value != null)
          {
            groupNames.Add(group.Name);
          }
        }
    }
}
Nilotic answered 19/3, 2013 at 16:39 Comment(0)
L
3

You can retreive this information from an attribute called Groupe-Type(last line).

(0x00000001) : Specifies a group that is created by the system.
(0x00000002) : Specifies a group with global scope.
(0x00000004) : Specifies a group with domain local scope.
(0x00000008) : Specifies a group with universal scope.
(0x00000010) : Specifies an APP_BASIC group for Windows Server Authorization Manager.
(0x00000020) : Specifies an APP_QUERY group fir Windows Server Authorization Manager.
(0x80000000) :Specifies a security group. If this flag is not set, then the group is a distribution group.

You can find in this answer or at the botton of this other one different ways to retreive groups a user belongs to.

You can find here how to retreive user.

Lebrun answered 1/11, 2011 at 5:47 Comment(1)
I'm not sure about your answer just yet. Because I haven't figured out what is going on there yet!!! But I don't ask you what you mean because I'd like to figure out myself since now I got time. Thanks a lot though.Odontalgia
E
3

Since you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");

if(user != null)
{ 
   // get all roles for that user
   var roles = user.GetGroups();

   // set up two lists for each type of groups
   List<GroupPrincipal> securityGroups = new List<GroupPrincipal>();
   List<GroupPrincipal> distributionGroups = new List<GroupPrincipal>();

   // iterate over groups found
   foreach (Principal p in roles)
   {
       // cast to GroupPrincipal
       GroupPrincipal gp = (p as GroupPrincipal);

       if (gp != null)
       {
           // check whether it's a security group or a distribution group
           if (gp.IsSecurityGroup)
              securityGroups.Add(gp);
           else
              distributionGroups.Add(gp);
       }
    }
}

The new S.DS.AM makes it really easy to play around with users and groups in AD!

Emmons answered 1/11, 2011 at 6:2 Comment(2)
Thanks a lot. This seems to work. It gives two lists alright, but the management claims the two lists are wrong! Meaning that some distribution groups are in the security groups list. Maybe they're wrong. Anyway thank you very much.By the way, I came up with this weird error when compiling:Cannot implicitly convert type 'bool?' to 'bool'. An explicit conversion exists (are you missing a cast?). It was alright when cast to bool. But what the heck is this datatype 'bool?' ??? Never heard of it!Odontalgia
@PPGoodMan: that's a nullable bool, meaning it could be NULL, true or false.Emmons

© 2022 - 2024 — McMap. All rights reserved.