4

Here is what I am trying to achieve: I have a nested OU structure that is about 5 levels deep.

OU=Portal,OU=Dev,OU=Apps,OU=Grps,OU=Admin,DC=test,DC=com

I am trying to find out if the user has permissions/exists at OU=Portal.

Here's a snippet of what I currently have:

PrincipalContext domain = new PrincipalContext(
    ContextType.Domain,
    "test.com",
    "OU=Portal,OU=Dev,OU=Apps,OU=Grps,OU=Admin,DC=test,DC=com");

UserPrincipal user = UserPrincipal.FindByIdentity(domain, myusername);
PrincipalSearchResult<Principal> group = user.GetAuthorizationGroups();

For some unknown reason, the value user generated from the above code is always null. However, if I were to drop all the OU as follows:

PrincipalContext domain = new PrincipalContext(
    ContextType.Domain,
    "test.com",
    "DC=test,DC=com");

UserPrincipal user = UserPrincipal.FindByIdentity(domain, myusername);
PrincipalSearchResult<Principal> group = user.GetAuthorizationGroups();

this would work just fine and return me the correct user. I am simply trying to reduce the number of results as opposed to getting everything from AD.

Is there anything that I am doing wrong? I've Googled for hours and tested various combinations without much luck.

svick
  • 236,525
  • 50
  • 385
  • 514
XXX
  • 87
  • 1
  • 1
  • 7
  • 1
    Unlike forum sites, we don't use "Thanks", or "Any help appreciated", or signatures on [so]. See "[Should 'Hi', 'thanks,' taglines, and salutations be removed from posts?](http://meta.stackexchange.com/questions/2950/should-hi-thanks-taglines-and-salutations-be-removed-from-posts). – John Saunders Sep 27 '12 at 09:55

5 Answers5

2

Well, if

UserPrincipal.FindByIdentity(context, identityType, username) == null

then the user has not been found, which in your case probably is, because the user isn't defined in the OU= you are setting as container in your Context.

TGlatzer
  • 5,815
  • 2
  • 25
  • 46
  • The user is defined in one of the Groups assigned as members in one of the Groups under OU=Portal. For example, OU=Portal >> Group App)ViewData has A,B,C as its members. Now users are classified into departments in a different OU. For example, OU=Usrs >> Group Sec)IT has A and B as members and OU=Portal >> Group App)ViewData now has Sec)IT and C as its members. – XXX Oct 02 '12 at 07:14
  • As i said before, if it can not find the user it returns null and you user has not only to be assigned to a group, but it has to be defined in that OU, that you pass as container. See the DN of your user to see where he is defined. – TGlatzer Oct 02 '12 at 11:40
1

After much exploring, experimentation, googling and searching through stack overflow; it appears that .NET does not have a built in method to 'read' a particular OU that has a reference to an external Group that contains users as its members. Unfortunately, the suggested and recommended solution is to retrieve at domain level and perform some form of custom filtering.

XXX
  • 87
  • 1
  • 1
  • 7
  • It seems to me you could search for users and groups in the OU you are interested and search each group for users. It is a funny thing to try to use both OU position and group membership in a group in the OU to represent something. – NetMage Aug 26 '16 at 22:21
0

Is the user you're looking for inside OU=Portal,OU=Dev,OU=Apps,OU=Grps,OU=Admin,DC=test,DC=com ?

What does your user object look like after your second search? What is it's DistinguishedName property?

The search you have in your first example will only search for objects inside that sub-sub-sub-sub-OU (the OU=Portal, .... that you have).

If your user exists in some other OU, then you have to search from the top of the domain - or inside the OU where the user actually exists (or any of its parents).

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
  • The user is defined in one of the Groups assigned as members in one of the Groups under OU=Portal. For example, OU=Portal >> Group App)ViewData has A,B,C as its members. Now users are classified into departments in a different OU. For example, OU=Usrs >> Group Sec)IT has A and B as members and OU=Portal >> Group App)ViewData now has Sec)IT and C as its members. – XXX Oct 02 '12 at 07:16
0

The user does not exist there, or you would not get null returned.

What is your end game? What do you mean by:

I am trying to find out if the user has permissions at OU=Portal.

What type of permissions are you looking for? Admin delegation?

Daro
  • 1,990
  • 2
  • 16
  • 22
  • At the present moment, functions are aggregated as groups. The current design is that each logical function is assigned as a Group in an OU and users are assigned as members. For example, OU=Portal >> Group App)ViewData has A,B,C as its members. Now users are classified into departments in a different OU. For example, OU=Usrs >> Group Sec)IT has A and B as members And OU=Portal >> Group App)ViewData now has Sec)IT and C as its members. – XXX Oct 02 '12 at 07:12
0

Hope this is of some help, I was having the same problem trying to retrieve groups from a nested OU. The structure of the ou was Groups > WebGroups. So I was writing the following...

var ctx = new PrincipalContext(ContextType.Domain, "domain", "OU=Groups,OU=WebGroups,DC=domain,DC=ie", "username", "password")

Turns out the order matters, WebGroups has to come first. When I changed it to the following my code worked...

var ctx = new PrincipalContext(ContextType.Domain, "domain", "OU=WebGroups,OU=Groups,DC=domain,DC=ie", "username", "password")

So I'm assuming you'd have to write "OU=Admin,OU=Groups... OU=Portal" to get yours working.

Simon
  • 1