Find out if a group from AD is part of a distribution group?

Question

Find out if a group from AD is part of a distribution group?

I use ASP.net with C # and have very little information about Active Directory. I was tasked with writing a program in the following steps:

ASP.net application gets the username.

The application should request all user groups with the specified username.

Then the application should display these groups in two separate lists, consisting of distribution groups and in another list, the rest of the groups.

Now the request for all groups is simple. But how can I check if a group is in a distribution group or not?

I was not given more information.

Any attribute or something that I can verify?

+6

asp.net active-directory distribution active-directory-group

PPGoodMan Nov 01 '11 at 4:31

source share

3 answers

This code will retrieve all groups activated by email, regardless of whether it is a security or distribution group. (Seeing your comment on marc_s, answer, I assume that this is actually what your managers are looking for).

 using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain)) { Principal prototype = new GroupPrincipal(ctx); PrincipalSearcher searcher = new PrincipalSearcher(prototype); List<string> groupNames = new List<string>(); PropertyValueCollection email; foreach (var gp in searcher.FindAll()) using (gp) { GroupPrincipal group = gp as GroupPrincipal; using (DirectoryEntry groupEntry = ((DirectoryEntry)group.GetUnderlyingObject()) { email = groupEntry.Properties["mail"]; if (email.Value != null) { groupNames.Add(group.Name); } } } }

+3

Cavyn VonDeylen Mar 19 '13 at 16:39

source share

Since you are using .NET 3.5 and above, you should check the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read more here:

Basically, you can define the context of a domain and easily find users and / or groups in AD:

 // set up domain context PrincipalContext ctx = new PrincipalContext(ContextType.Domain); // find a user UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName"); if(user != null) { // get all roles for that user var roles = user.GetGroups(); // set up two lists for each type of groups List<GroupPrincipal> securityGroups = new List<GroupPrincipal>(); List<GroupPrincipal> distributionGroups = new List<GroupPrincipal>(); // iterate over groups found foreach (Principal p in roles) { // cast to GroupPrincipal GroupPrincipal gp = (p as GroupPrincipal); if (gp != null) { // check whether it a security group or a distribution group if (gp.IsSecurityGroup) securityGroups.Add(gp); else distributionGroups.Add(gp); } } }

The new S.DS.AM makes it very easy to play with users and groups in AD!

+2

marc_s Nov 01 '11 at 6:02

source share

JPBlanc · Accepted Answer · 2011-11-01T05:47:51+0000

You can get this information from the Groupe-Type attribute (last line).

(0x00000001) : Specifies a group that is created by the system. (0x00000002) : Specifies a group with global scope. (0x00000004) : Specifies a group with domain local scope. (0x00000008) : Specifies a group with universal scope. (0x00000010) : Specifies an APP_BASIC group for Windows Server Authorization Manager. (0x00000020) : Specifies an APP_QUERY group fir Windows Server Authorization Manager. (0x80000000) :Specifies a security group. If this flag is not set, then the group is a distribution group.

You can find in this answer or in botton this other various ways of distracting groups the user belongs.

You can find here how to recover user.

Find out if a group from AD is part of a distribution group?

More articles: