0

Basically, I'm developing an app for managing Active Directory, I've added a big layer of 'security' that is the ability to assign to specific users what OU GUIDs they're allowed to access/search through.

The problem I'm facing now is there doesn't seem to be a nice way to query AD taking into account this sometimes large collection of GUIDs (1200ish) and ONLY returning results from these specific OUs.

Does anyone know if there's a way to use multiple DirectorySearchers or the like to achieve this without hitting performance too hard?

-- This would be dead easy in SQL... :-/

API
  • 125
  • 2
  • 12

1 Answers1

0

There are a few ways to do this:

  1. If you want to use multiple DirectorySearcher objects, then you can create one DirectorySearcher for each OU you want to search and set the SearchRoot on each to the OU you want to search.
  2. Make one search on the whole domain and filter out the results that you don't want to show after you get the results back. This will probably perform faster than option 1.
  3. Change the permissions in AD directly. If you don't want a user to see objects in an OU, then modify the permissions on that OU so they can't read it. Then you just do all your searches normally and you don't have to worry about filtering anything out. This is assuming you are using the user's own credentials to query AD.

But things do get complicated here. If you don't want User A to see objects in OU B, you can hide that OU from User A, sure. But User A may still be able to see groups that have users from OU B in them. So User A will still see evidence that OU B exists. So,

  • If you go with option 1 or 2, then you will have to filter results from groups when you look at group membership too.

  • If you go with option 3, it will likely break PowerShell scripts (if they ever use them) since PowerShell will try to read every member of a group and crash if it can't.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84