4

I'm using the System.DirectoryServices.AccountManagement API to pull a list of groups from AD. These groups all start with the same prefix so it's easy to find them using the prefix and a wildcard. What I'd also like to do is just get the groups that have changed since I last checked. I've subclassed GroupPrincipal to include the whenChanged attribute and I'm using that currently, after I pull my full list of groups, to filter the list. What I'd like to know is, is it possible to perform an AdvancedFilterSearch on a GroupPrincipal? I realize GroupPrincipal doesn't have an AdvancedFilterSearch property. I'm wondering if you add one in a sub-class will PrincipalSearcher use it? If yes, an example would be nice.

Thanks,

Chris McKinnon

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
user612247
  • 51
  • 3
  • 1
    Hi just wondering what do you want to achieve by using and AdvancedFilterSearch? I am asking that as there might be some other strategy to solve your issue by not using an AdvancedFilterSearch – Raymund Apr 26 '11 at 22:55

1 Answers1

0

The short answer to getting only the groups that changed since last check is that is not (easily) possible.

Every object in AD has an Update Sequence Number attribute associated with them. When a group changes its USN changes. BUT, not always. If you add/remove members to the group the USN does not change. It changes only when you change group name or other simple properties. On top of this, the USN number is unique on a single Domain Controller. So you have to make sure you always connect to the same server.

You can subscribe to changes to AD objects and get notified when they change, but this does not scale.

In my project, I ended up querying for all groups every time. That is not as bad as it sounds as the API is really good at paginating the result set and by looking at resources it is not very intensive.

Cosmin Onea
  • 2,698
  • 1
  • 24
  • 27