Wsrtjtyk

In my program, I need to fetch all the AD groups for a user.
The current version of my program uses System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups.

This works good until we had a new customer with a much largeer AD. There it is really slow. (Up to 60 seconds)

Now I've been looking around, and saw the posts that the AccountManagement is easy to use, but slow.

I also found that LDAP_MATCHING_RULE_IN_CHAIN should also fetch all the nested groups that a user is member of. And is more performant.

From this link.

But I'm having an issue with the default groups that in AD exists.

For example the group "Domain Users" is not returned by the function.
They also have a group "BDOC" that as member have "Domain Users". That group is also not returned.

Trough the GetAuthorizationGroups it is returned correct.

I'm using following code to fetch the groups by user.

VB.NET:

Dim strFilter As String = String.Format("(member:1.2.840.113556.1.4.1941:={0})", oUserPrincipal.DistinguishedName)

Dim objSearcher As New DirectoryServices.DirectorySearcher("LDAP://" & oLDAPAuthenticationDetail.Domain & If(Not String.IsNullOrWhiteSpace(oLDAPAuthenticationDetail.Container), oLDAPAuthenticationDetail.Container, String.Empty))

objSearcher.PageSize = 1000

objSearcher.Filter = strFilter

objSearcher.SearchScope = DirectoryServices.SearchScope.Subtree

objSearcher.PropertiesToLoad.Add(sPropGuid)

objSearcher.PropertiesToLoad.Add(sPropDisplayName)





Dim colResults As DirectoryServices.SearchResultCollection = objSearcher.FindAll()

Afterwards I was testing with the script from the link, if it was possible to fetch all the users from the Domain Users group, by changing the "member" to "memberOf" in the filter.
When I put the Domain Admins group in the filter, it shows the admins correct.
When I put the Domain Users group in the filter, it returns nothing.

Powershell:

$userdn = 'CN=Domain Users,CN=Users,DC=acbenelux,DC=local'

$strFilter = "(memberOf:1.2.840.113556.1.4.1941:=$userdn)"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://rootDSE")

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = "LDAP://$($objDomain.rootDomainNamingContext)"

$objSearcher.PageSize = 1000

$objSearcher.Filter = $strFilter

$objSearcher.SearchScope = "Base"

$colProplist = "name"

foreach ($i in $colPropList)

{

    $objSearcher.PropertiesToLoad.Add($i) > $nul

}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)

{

    $objItem = $objResult.Properties

    $objItem.name

}

I don't know what I'm doing wrong. Or is it maybe just not possible to fetch the "default groups" with that filter?
What is a good alternative then?

The default group is odd. It is not stored in memberOf, or even in the member attribute of the group. That's why your search won't find it. The default group is determined by the primaryGroupId of the user. That attribute stores the RID (the last part of the SID) of the group. It's kind of dumb, I know :)

I actually wrote an article about the 3 (yes 3) different ways someone can be a member of a group: What makes a member a member?

I also wrote an article about getting all of the groups a single user belongs to, and how to account for all 3 ways: Finding all of a user’s groups

For example, here is the C# code I put in that article about how to find the name of the primary group for a user (given a DirectoryEntry). It shouldn't be too hard to translate that to VB.NET:

private static string GetUserPrimaryGroup(DirectoryEntry de) {

    de.RefreshCache(new {"primaryGroupID", "objectSid"});



    //Get the user's SID as a string

    var sid = new SecurityIdentifier((byte)de.Properties["objectSid"].Value, 0).ToString();



    //Replace the RID portion of the user's SID with the primaryGroupId

    //so we're left with the group's SID

    sid = sid.Remove(sid.LastIndexOf("-", StringComparison.Ordinal) + 1);

    sid = sid + de.Properties["primaryGroupId"].Value;



    //Find the group by its SID

    var group = new DirectoryEntry($"LDAP://<SID={sid}>");

    group.RefreshCache(new  {"cn"});



    return group.Properties["cn"].Value as string;

}

You are right that the AccountManagement namespace makes things easy, but it really does have terrible performance sometimes. I never use it anymore. I find that DirectoryEntry/DirectorySearcher gives you much more control of how often your code makes calls out to AD.

I have been meaning to write an article about writing high performance code with DirectoryEntry, but I haven't gotten around to it yet.

Update: So if you need the nested groups for the user, including membership through the primary group, then you can find the primary group first, then do an LDAP_MATCHING_RULE_IN_CHAIN search for groups that have both the user and the primary group as members:

 (|(member:1.2.840.113556.1.4.1941:={userDN})(member:1.2.840.113556.1.4.1941:={primaryGroupDN}))

Update: If you want to include Authenticated Users in your search (edit the DC portion of the distinguishedName):

 (|(member:1.2.840.113556.1.4.1941:=CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=domain,DC=com)(member:1.2.840.113556.1.4.1941:={userDN})(member:1.2.840.113556.1.4.1941:={primaryGroupDN})

Note that you can also use the tokenGroups attribute of a user to find out all of the authentication groups for a user. The tokenGroups attribute is a constructed attribute, so you only get it if you specifically ask for it (with DirectoryEntry.RefreshCache() or, in a search, add it to DirectorySearcher.PropertiesToLoad.

The caveat is that tokenGroups is a list of SIDs, not distinguishedName, but you can bind directly to an object using the SID with the LDAP://<SID={sid}> syntax.