Accessing Directory Services in .NET Framework 2.0

Development Environment for this Article

The configuration of the development environment used for this article is a Microsoft Virtual PC running Windows Server 2003. I promoted it to a domain controller for a fictitious dev.codeguru.com domain. All of the examples in this article run against that server instance. For those not familiar with Virtual PC, I highly recommend you investigate it. It is a highly valuable tool for building simulated development environments, among other things.

Searching the Directory

The .NET Framework 2.0 contains several enhancements related to search capabilities. The DirectorySearcher is still the class that provides the relevant functionality for searching directories, but it has expanded capabilities beyond what was available in the 1.x versions.

Finding Deleted Users Sample

Suppose an application uses the directory service for authentication (user ID and password validation), but relies on a separate data store in an application database to determine what the user can do within the application. The ability to determine quickly which users have recently been deleted from the directory service can be useful. When you know an account has been removed from your AD, you can remove it from your application as well. By default, objects deleted within AD are moved into the Deleted Objects container for a period of time. Now, you can search this container, courtesy of the expanded search functionality.

The sample code below executes a search and displays the account name, using the FindAll method of the DirectorySearcher class in combination with specific filter, scope, and Tombstone properties to find all entries in the Active Directory that have recently been deleted. It is important to set the AuthenticationType as AuthenticationTypes.FastBind to prevent it from verifying whether the object actually exists in the directory:

DirectoryEntry entry = new DirectoryEntry(
"LDAP://cn=Deleted Objects,DC=dev,DC=codeguru,DC=com");
entry.AuthenticationType = AuthenticationTypes.FastBind | 
AuthenticationTypes.Secure;

using( DirectorySearcher search = new DirectorySearcher(entry) )
{
   search.Filter = "isDeleted=TRUE";
   search.SearchScope = SearchScope.OneLevel;
   search.Tombstone = true;

   using (SearchResultCollection results = search.FindAll())
   {
      foreach (SearchResult result in results)
      {
      if (result.Properties.Contains("SAMAccountName"))
         {
            Console.WriteLine("Account name = {0}", 
            result.Properties["SAMAccountName"][0]); }
      }
   }
}
Console.ReadLine();

Virtual List View Sample

The Virtual List View (VLV) is a Windows Server 2003 feature that allows you to execute large searches against a directory service and scroll/page through them efficiently without having to return the full results at once. It retrieves contiguous subsets from the search results rather than grabbing them all at once. You control the search results by attaching a VLV to the DirectorySearcher instance being used to search the directory. You need to set a server side sorting value, otherwise it won't operate properly.

The following sample code illustrates these concepts by first searching for a target user and then grabbing a set of records from that spot onward. Next, it adjusts that to find a result and returns five records prior to the first match and one after (You may need to adjust the Target string to search for users that will match in your directory.):

DirectoryEntry entry =
   new DirectoryEntry("LDAP://dev.codeguru.com");
DirectorySearcher search = new DirectorySearcher(entry,
   "(objectClass=User)");

SortOption sort = new SortOption("SAMAccountName",
                                 SortDirection.Ascending);
search.Sort = sort;

// Find a place where user accounts that start with cs
// Return 5 records from the results spot (results are zero based)
DirectoryVirtualListView virtualList =
   new DirectoryVirtualListView();
virtualList.BeforeCount = 0;
virtualList.AfterCount  = 4;
virtualList.Target      = "cs";

search.VirtualListView = virtualList;
foreach (SearchResult result in search.FindAll())
{
   Console.WriteLine("Account name = {0}",
      result.Properties["SAMAccountName"][0]);
}

Console.WriteLine("Additional Searching");
// Context is still attached so I can adjust the results
// Return 5 records before the match and 1 after
search.VirtualListView.BeforeCount = 5;
search.VirtualListView.AfterCount  = 1;
foreach (SearchResult result in search.FindAll())
{
   Console.WriteLine("Account name = {0}",
      result.Properties["SAMAccountName"][0]);
}
Console.ReadLine();

Changing a User Password

One of the most common questions I receive regarding Active Directory is: "How do I change the password for an existing user so that I can allow users to change their Windows passwords from within my application?" The question is misleading because the command to set the password for the first time for a new user is different from the command to change an existing password.

Changing a user's password is fairly straightforward. The first step is to find the specific user account in Active Directory and then execute the ChangePassword action:

try
{
   // Use the user account you're changing the password on
   // to validate the user really exists. Specifies the
   // authentication type as secure as I had problems
   // getting it to work otherwise.
   DirectoryEntry entry = new DirectoryEntry(
      "LDAP://CN=Users,DC=dev,DC=codeguru,DC=com",
      "dev.codeguru.com\\testuser", "password",
      AuthenticationTypes.Secure |
      AuthenticationTypes.Sealing |
      AuthenticationTypes.ServerBind);

   DirectorySearcher search = new DirectorySearcher(entry);
   search.Filter = "(SAMAccountName=testuser)";
   SearchResult result = search.FindOne();
   DirectoryEntry user = result.GetDirectoryEntry();
   Object ret = user.Invoke("ChangePassword", new object[] {
      "password", "newpassword" });
   user.CommitChanges();
}
catch( Exception exception )
{
   Console.WriteLine( exception.Message );
}

Other Namespace Additions

The System.DirectoryServices namespace offers many changes in the 2.0 Framework, including the new System.DirectoryServices.ActiveDirectory and System.DirectoryServices.Protocols. However, the ActiveDirectory namespace name is misleading. The ActiveDirectory namespace is intended for automating management tasks and cannot be used to access data contained within Active Directory. You still use the System.DirectoryServices namespace to access the contents of Active Directory or other directory service. The Protocols namespace allows you to work with the LDAP 3.0 protocol along with the Directory Services Markup Language (DSML) 2.0.

Better Interaction with Your Enterprise AD

Several improvements to the System.DirectoryServices namespace will expand the ability to interact with your enterprise Active Directory. Now, the entire process operates predominantly off managed code and is much smoother and more efficient to use. Other handy additions such as the ActiveDirectory and Protocols namespaces warrant future exploration.

Future Columns

The topic of the next column is yet to be determined. If you have something in particular that you would like to see explained here, e-mail me at mstrawmyer@crowechizek.com.



About the Author

Mark Strawmyer

Mark Strawmyer is a Senior Architect of .NET applications for large and mid-size organizations. He specializes in architecture, design and development of Microsoft-based solutions. Mark was honored to be named a Microsoft MVP for application development with C# for the fifth year in a row. You can reach Mark at mark.strawmyer@crowehorwath.com.

Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Protecting business operations means shifting the priorities around availability from disaster recovery to business continuity. Enterprises are shifting their focus from recovery from a disaster to preventing the disaster in the first place. With this change in mindset, disaster recovery is no longer the first line of defense; the organizations with a smarter business continuity practice are less impacted when disasters strike. This SmartSelect will provide insight to help guide your enterprise toward better …

  • Cisco and Intel have harnessed flash memory technology and truly innovative system software to blast through the boundaries of today's I/O-bound server/storage architectures. See how they are bringing real-time responsiveness to data-intensive applications—for unmatched business advantage. Sponsored by Cisco and Intel® Partnering in Innovation

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds