0

I can successfully get a complete list of all AD Attributes with the following code (including things like extensionAttribute1 - 15)

// get whatever attributes are available

List<string> allAttributes = new List<string>();

var context = new DirectoryContext(DirectoryContextType.Forest, "mydomain.com");

using (var schema = System.DirectoryServices.ActiveDirectory.ActiveDirectorySchema.GetSchema(context)) {

    var userClass = schema.FindClass("user");

    foreach (ActiveDirectorySchemaProperty property in userClass.GetAllProperties()) {
        allAttributes.Add(property.Name);
    }

}

However, when I retrieve a user account with the following code, most of these attributes (especially the extensionAttributes) are not present:

SearchResultCollection results;
DirectoryEntry de = new DirectoryEntry("LDAP://RootDSE");
DirectorySearcher ds = new DirectorySearcher("LDAP://" + de.Properties["defaultNamingContext"][0].ToString());

ds.Filter = "(&(objectCategory=User)(objectClass=person))";

results = ds.FindAll();

foreach (SearchResult sr in results) {
    Console.WriteLine(sr.Properties["extensionAttribute1"][0].ToString()); // == null
}

What am I doing wrong?

KWallace
  • 1,570
  • 1
  • 15
  • 25
  • You need to explicitly request the properties you want in the result set: `ds.PropertiesToLoad.AddRange(allAttributes.ToArray());` – Mathias R. Jessen Apr 15 '22 at 13:35
  • Thanks, Matias. The "get a list of available attributes" part works. It's just that very few of those attributes actually are available on the user account as I am getting it. it has a couple dozen (what appear to be) native attributes, but none of the extended attributes are there. – KWallace Apr 15 '22 at 15:38
  • 1
    Not really an answer, but if you just need users you might consider using `PrincipalSearcher` for this instead of `DirectorySearcher`. I know for a fact that it can pull extension attributes and I have working code I can post if you want. See this for info on the differences: https://stackoverflow.com/questions/23176284/difference-between-principalsearcher-and-directorysearcher – Tawab Wakil Apr 15 '22 at 16:34
  • @TawabWakil `PrincipalSearcher` just uses `DirectorySearcher` behind the scenes. You're better off using `DirectorySearcher` directly as it gives you more control. – Gabriel Luci Apr 16 '22 at 15:15
  • If `PrincipalSearcher` was created as an abstraction over `DirectorySearcher`, wouldn't that be a reason to use it if you're only dealing with principals and don't need the flexibility? – Tawab Wakil Apr 16 '22 at 19:31
  • @TawabWakil Depends what you're doing and what you want. In this case, `UserPrincipal` doesn't expose any of the extension attributes so you have to access the underlying `DirectoryEntry` anyway. And if you want the best performance, you need to use `DirectorySearcher`. Both of those points are brought out in that answer you linked to. – Gabriel Luci Apr 17 '22 at 21:07
  • Makes sense. OP is accessing the `Properties` collection of `SearchResult`, whereas my solution accesses the `Properties` collection of `DirectoryEntry`. Based on that, I thought my way might yield a different result, but maybe it doesn't matter either way. – Tawab Wakil Apr 18 '22 at 14:06

1 Answers1

2

most of these attributes (especially the extensionAttributes) are not present

That is normal. Attributes are only returned if they have a value. If an attribute does not have a value, it is not returned at all.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84