Getting members of an AD domain group using Sharepoint API

Asked 30/11, 2010 at 14:29 Answered 28/5, 2011 at 22:22

Solved c#dns sharepoint-2010 active-directory-group

In my Sharepoint code I display a list of all defined users via:

foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
    ...
}

The great part is, I can add a domain security group to a Sharepoint group (like Visitors) thus adding many users at once (simpler administration). But my code doesn't see those users at least not until they log-in for the first time (if they have sufficient rights). In this case I can only see the domain security group SPUser object instance with its IsDomainGroup set to true.

Is it possible to get domain group members by means of Sharepoint without resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations = more administration: Sharepoint rights + AD rights).

Flyover answered 30/11, 2010 at 14:29 Comment(0)

You can use the method SPUtility.GetPrincipalsInGroup (MSDN).

All parameters are self-explaining except string input, which is the NT account name of the security group:

bool reachedMaxCount;
SPWeb web = SPContext.Current.Web;
int limit = 100;
string group = "Domain\\SecurityGroup";
SPPrincipalInfo[] users = SPUtility.GetPrincipalsInGroup(web, group, limit, out reachedMaxCount);

Please note that this method does not resolve nested security groups. Further the executing user is required to have browse user info permission (SPBasePermissions.BrowseUserInfo) on the current web.

Update:

private void ResolveGroup(SPWeb w, string name, List<string> users)
{
    foreach (SPPrincipalInfo i in SPUtility.GetPrincipalsInGroup(w, name, 100, out b))
    {
        if (i.PrincipalType == SPPrincipalType.SecurityGroup)
        {
          ResolveGroup(w, i.LoginName, users);
        }
        else
        {
          users.Add(i.LoginName);
        }
    }
}

List<string> users = new List<string>();
foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
  if (user.IsDomainGroup)
    {
      ResolveGroup(SPContext.Current.Web, user.LoginName, users);
    }
    else
    {
      users.Add(user.LoginName);
    }
}

Edit:

[...] resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations [...]

That's true, of course, but SharePoint has to lookup the AD as well. That's why a application pool service account is required to have read access to the AD. In other words, you should be safe executing queries against the AD if you run your code reverted to the process account.

Blight answered 27/5, 2011 at 14:49 Comment(7)

Ok. but does it flat out nested groups? Because inner members are also principals. – Flyover 27/5, 2011 at 14:54

No, nested groups won't be resolved. If performance is not relevant, recursive calls to this method should not be such a big deal. Nested groups will be returned as principal infos as well. – Blight 27/5, 2011 at 15:4

Ok so if I enumerate SPContext.Current.Web.AllUsers and get to domain groups I can use that name to use with GetPrincipalsInGroup? I haven't tested so I'm just asking an additional Q. – Flyover 27/5, 2011 at 15:13

Yes, use SPUser.LoginName for the input parameter. – Blight 27/5, 2011 at 15:21

If think there is an error in your code exmaple. Line "if (i.Type == SPPrincipalType.SecurityGroup)". It should be "i.PrincipalType" and not "i.Type" (at least in SharePoint 2010). – Clutch 21/2, 2013 at 14:1

thank you .it also works for simple sharepoint group which i was looking for – Humboldt 30/4, 2014 at 9:43

This answer worked gloriously for me until I deployed to an environment using Claims Authentication. It seems others have had problems with querying AD from SharePoint that's using Claims Auth, too: sharepoint.stackexchange.com/questions/13223/… – Omnipotent 5/11, 2015 at 16:0

I would suggest you just query Active Directory directly. You are spending a lot of effort to try to get SharePoint to make this call to AD for you. Every account that has Domain User access should be able to query the AD groups you have nested in SharePoint. I would just go to the source.

This way you don't have to worry about Browse User Permissions or anything else. In my opinion trying to proxy this through SharePoint is just making your life more difficult.

Muth answered 28/5, 2011 at 22:22 Comment(2)

Care to add some c# code how to do it? I know I can find it on the net but supporting your answer with some code would be better. – Flyover 29/5, 2011 at 5:0

Sorry, I am still new here. Looks like you could easily modify this to implement a robust solution to your issue. link – Muth 31/5, 2011 at 1:31

Recommended topics

Hot tags