How can I list all the users in a particular security group with ASP.NET?

[Brian Watkins]

Does anyone know a way to list all the users in a particular windows
security group on a .aspx web page? Thanks in advance!

[Joe Kaplan \(MVP - ADSI\)]

The first question is whether the group is a local machine group, an NT4
domain group or an Active Directory group. If it is an AD group, the other
question is whether you need nested membership or just direct membership.

In either case, you should be using System.DirectoryServices to do these
kinds of lookups. If you do some Google searches on
microsoft.public.adsi.general you should see many many posts that will give
you a good start.

Another thing to consider is that it is often better to calculate a user's
total group membership and compare the group to the user instead of
comparing the user to the group.

Joe K.

"Brian Watkins" <raistlin19@aol.com> wrote in message
news:e0srGXL8DHA.3288@TK2MSFTNGP11.phx.gbl...

> Does anyone know a way to list all the users in a particular windows
> security group on a .aspx web page? Thanks in advance!
>
>

[Brian Watkins]

Joe,

It is an Active Directory group. And I have yet to find an ASP.net specific
example.

I wrote a nifty app in VB.net that allowed me to search the AD for users and
their departments. Of course when I convert the code to ASP.net and run it
through the browser. Here is the code:


<%@ Language="vb" Debug="True" %>
<%@ Import Namespace="System" %>
<%@ import namespace="System.Security.Principal" %>
<%@ import namespace="System.DirectoryServices" %>
<%@ import namespace="System.Web" %>
<%@ Assembly name="System.DirectoryServices, Version=1.0.3300.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%>

<HTML>
<HEAD>

<script runat="server" >
Dim queryResults As SearchResultCollection
Sub Page_Load()

Dim rootEntry As New DirectoryEntry("LDAP://mydomain")
Dim searcher As New DirectorySearcher(rootEntry)
Dim result As SearchResult

searcher.PropertiesToLoad.Add("cn")
searcher.PropertiesToLoad.Add("mail")
searcher.PropertiesToLoad.Add("SAMAccountName")
searcher.PropertiesToLoad.Add("department")
searcher.PropertiesToLoad.Add("MemberOf")
searcher.PageSize = 5 'return 5 entries at a time
searcher.ServerTimeLimit = New TimeSpan(0, 1, 0) 'tell the server to stop
after one minute
searcher.ClientTimeout = New TimeSpan(0, 2, 0)

'server should stop before this time, but if not... client will timeout
searcher.Sort.Direction = SortDirection.Ascending
searcher.Sort.PropertyName = "Department"

queryResults = searcher.FindAll()

Call Print_Dept_List()

End Sub

Sub Print_Dept_List()
Dim result As SearchResult, strDept As String, strOldDept As String
Dim intX as integer = 0
strOldDept = ""
Dim myResultPropColl As ResultPropertyCollection

For Each result In queryResults
myResultPropColl = result.Properties
Response.write("<p>The properties of the 'mySearchResult' are :")
Dim myKey As String
For Each myKey In myResultPropColl.PropertyNames
Dim tab1 As String = " "
Response.write("<p>" & myKey + " = ")
Dim myCollection As Object
For Each myCollection In myResultPropColl(myKey)
response.write("<p>" & tab1 + myCollection & "</p>")
Next myCollection
Response.Write("</P>")
Next myKey
Response.Write("</P>")
Next result
End Sub
</script>
</Head>

<body bgcolor="#FFFFFF"></body>
</html>


In my VB.net application runnning on my machine as me this code returns the
properties I included in the searcher.PropertiesToLoad.Add statements.
With the above code running on a webserver the only property that is
returned is the adspath.

Any idea why this is happening?

[Joe Kaplan \(MVP - ADSI\)]

Most errors in ASP.NET applications where serverless binding and default
credentials are used are the result of anonymous binds being performed that
limit you access to AD. Since ASP.NET runs a local machine account by
default, ADSI and S.DS cannot use the current security context to infer a
domain controller and domain credentials to use the for the bind.

This is explained in much detail here:
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329986[/url]
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/troubleshooting_authentication_problems_on_asp_pag es.asp?frame=true[/url]

If you add a DNS name in your path. a la LDAP://yourserver.com/path and add
a username, password and AuthenticationTypes.Secure or
AuthenticationTypesServerBind to your DirectoryEntry constructor, you will
likely be successful.

To read a groups membership, you just need to find the group and read it
member attribute.

If you want to get a user's complete security group membership, you need to
look at the tokenGroups attribute. This is much prefered to memberOf for
security purposes. I've written about this extensively in the other
newsgroup, so doing a google groups search for Kaplan and tokenGroups in
micrsoft.public.adsi.general should give you lots of hits and some good
code.

HTH,

Joe K.

"Brian Watkins" <raistlin19@aol.com> wrote in message
news:u3Htk6M8DHA.1592@TK2MSFTNGP10.phx.gbl...

> Joe,
>
> It is an Active Directory group. And I have yet to find an ASP.net

specific

> example.
>
> I wrote a nifty app in VB.net that allowed me to search the AD for users

and

> their departments. Of course when I convert the code to ASP.net and run

it

> through the browser. Here is the code:
>
>
> <%@ Language="vb" Debug="True" %>
> <%@ Import Namespace="System" %>
> <%@ import namespace="System.Security.Principal" %>
> <%@ import namespace="System.DirectoryServices" %>
> <%@ import namespace="System.Web" %>
> <%@ Assembly name="System.DirectoryServices, Version=1.0.3300.0,
> Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%>
>
> <HTML>
> <HEAD>
>
> <script runat="server" >
> Dim queryResults As SearchResultCollection
> Sub Page_Load()
>
> Dim rootEntry As New DirectoryEntry("LDAP://mydomain")
> Dim searcher As New DirectorySearcher(rootEntry)
> Dim result As SearchResult
>
> searcher.PropertiesToLoad.Add("cn")
> searcher.PropertiesToLoad.Add("mail")
> searcher.PropertiesToLoad.Add("SAMAccountName")
> searcher.PropertiesToLoad.Add("department")
> searcher.PropertiesToLoad.Add("MemberOf")
> searcher.PageSize = 5 'return 5 entries at a time
> searcher.ServerTimeLimit = New TimeSpan(0, 1, 0) 'tell the server to stop
> after one minute
> searcher.ClientTimeout = New TimeSpan(0, 2, 0)
>
> 'server should stop before this time, but if not... client will timeout
> searcher.Sort.Direction = SortDirection.Ascending
> searcher.Sort.PropertyName = "Department"
>
> queryResults = searcher.FindAll()
>
> Call Print_Dept_List()
>
> End Sub
>
> Sub Print_Dept_List()
> Dim result As SearchResult, strDept As String, strOldDept As String
> Dim intX as integer = 0
> strOldDept = ""
> Dim myResultPropColl As ResultPropertyCollection
>
> For Each result In queryResults
> myResultPropColl = result.Properties
> Response.write("<p>The properties of the 'mySearchResult' are

:")

> Dim myKey As String
> For Each myKey In myResultPropColl.PropertyNames
> Dim tab1 As String = " "
> Response.write("<p>" & myKey + " = ")
> Dim myCollection As Object
> For Each myCollection In myResultPropColl(myKey)
> response.write("<p>" & tab1 + myCollection & "</p>")
> Next myCollection
> Response.Write("</P>")
> Next myKey
> Response.Write("</P>")
> Next result
> End Sub
> </script>
> </Head>
>
> <body bgcolor="#FFFFFF"></body>
> </html>
>
>
> In my VB.net application runnning on my machine as me this code returns

the

> properties I included in the searcher.PropertiesToLoad.Add statements.
> With the above code running on a webserver the only property that is
> returned is the adspath.
>
> Any idea why this is happening?
>
>
>