How to check OU accessability in C # , DirectoryEntry?

Question

I'm using DirectoryEntry class

Trying to read all users from specific OU and sub OU's.

Following code is part of task

using(DirectoryEntry dEntry = new DirectoryEntry(dn))
using(DirectorySearcher dSearcher = new  DirectorySearcher(dEntry))
{
     dSearcher.SearchScope = SearchScope.Subtree;
     dSearcher.Filter = "(&(objectClass=user) (objectCategory=person))";
     foreach(SearchResult in dSearcher.FindAll())
     {
        //Do something...
     }
}

some of sub OU's are protected from reading for current user. And i got task exception "one or more error accured" I'm looking for way to check if OU is not accessible and skip it. And to write that OU to log. I tried following :

 public void GetOu(List<MyUser> list, string path)
 {
     using (DirectoryEntry dEntry = new     DirectoryEntry(path))
     using(DirectorySearcher dSearcher = new DirectorySearcher(dEntry))
     {
           dSearcher.SearcherScope = SearchScope.Subtree;
           dSearcher.Filter = "(objectClass=organizationalUnit)";
           foreach(SearchResult result in dSearcher.FindAll())
           {
               GetUsersFromOU(list,result.GetDirectoryEntry());
            }
       }
 }
public void GetUsersFromOU(List<MyUser> list,DirectoryEntry ou)
{
     using (DirectorySearcher dSearcher = new DirectorySearcher(ou);
     dSearcher.SearchScope = SearchScope.OneLevel;
     dSearcher.Filter = "(&(objectClass=user)(objectCategory=person))";
     foreach (Search result in dSearcher.FindAll())
      {
          //Do something.... update list...
      }
 }

Now get no exceptions and skips not accessible OUs. 1.But still can't find what are the "bad ou"s 2.run time is catastrophic...

What do you mean by not accessible? Do you mean does not exist? — w0051977, Sep 10 '17 at 12:45

score 0 · Accepted Answer · answered Sep 10 '17 at 12:49

0

You will have to make sure that the user running the process has the appropriate permissions to perform the lookup. This will be your Windows account in a desktop application and the account running the application pool in an ASP.NET application.

answered Sep 10 '17 at 12:49

w0051977

15,099
32
152
329

That's the point, i cannot be sure that user running app has permission for specific OU. So i need to collect "deny access"es. I need way to know if OU is accessable or not by user. User is defined by IIS. – Yuri Sokolov Sep 10 '17 at 12:55
Surely you should be using an Admin account if you are using AD (through C#)? – w0051977 Sep 10 '17 at 12:58
This question may help you: https://stackoverflow.com/questions/2810613/how-to-find-all-groups-in-activedirectory-where-the-current-user-has-writepropert – w0051977 Sep 10 '17 at 13:02
Surely you should be using an Admin account if you are using AD (through C#)? That is great wish, but not my reality. – Yuri Sokolov Sep 10 '17 at 13:19
Thank you, that link is very helpfull! – Yuri Sokolov Sep 10 '17 at 13:21
@Yuri, no problem. Don't forget to upvote/accept if the answer helped. – w0051977 Sep 10 '17 at 13:46

How to check OU accessability in C # , DirectoryEntry?

1 Answers1