Home/ Questions/Q 4623996
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T03:04:03+00:00

I am enumerating a Domain Local Group in Active Directory using: Dim de As

  • 0

I am enumerating a Domain Local Group in Active Directory using:

Dim de As New DirectoryEntry("path")
Dim members As IADsMembers = DirectCast(de.Invoke("Members"), IADsMembers)

members.Filter = New Object() {"user"}
'Iterate over users.
members.Filter = New Object() {"group"}
'Iterate over nested groups.

The Domain Local Group is not enumerating. I have checked members.Count which equals 1.

Having looked in Active Directory there is a Foreign Security Principal which links to a Global Group in another domain. Research suggests that the only options for members.Filter are user and group, user and group.

How can I extract the Foreign Security Principal from this collection?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    For the most part I have chosen to use the functionality provided by System.Directory.AccountManagement in .NET 3.5 to enumerate a global group. If the object being enumerated is actually a Foreign Security Principal then the .NET 3.5 code does not suffice. Hopefully the following code will help someone else:

    Private Sub EnumerateGlobalGroup(ByVal distinguishedName As String)

    Try

        Using context As New PrincipalContext(ContextType.Domain, GetDomainName(distinguishedName))
            Using gp As GroupPrincipal = GroupPrincipal.FindByIdentity(context, IdentityType.DistinguishedName, distinguishedName)
                Dim groupMembers As PrincipalSearchResult(Of Principal) = gp.GetMembers(True)
                For Each member As Principal In groupMembers

                    Console.WriteLine(member.DisplayName)
                    Select Case member.StructuralObjectClass
                        Case "user"
                            Console.WriteLine("user")
                        Case "group"
                            Console.WriteLine("group")
                    End Select

                Next
            End Using
        End Using

    Catch ex As Exception

        If Not TypeOf ex Is PrincipalOperationException Then Throw ex

        'Get this far then enumerating Foreign Security Principal.
        Dim groupEntry As New DirectoryEntry("LDAP://" & distinguishedName)
        Dim members As Object = groupEntry.Invoke("Members")
        For Each member As Object In CType(members, IEnumerable)
            Dim memberEntry As New DirectoryEntry(member)
            Console.WriteLine(memberEntry.Name)

            Dim sid As New SecurityIdentifier(DirectCast(memberEntry.InvokeGet("objectSid"), Byte()), 0)
            Dim account As NTAccount = sid.Translate(GetType(NTAccount))
            Console.WriteLine(account.ToString)

            Dim memberDistinguishedName As String = GetDistinguishedName(account.ToString)
            EnumerateGlobalGroup(memberDistinguishedName)
        Next

    End Try

End Sub

Private Function GetDomainName(ByVal dn As String) As String

    Dim dnParts As String() = dn.Split(Char.Parse(","))
    For Each d As String In dnParts
        If d.StartsWith("DC") Then Return d.ToUpper().Replace("DC=", Nothing)
    Next
    Return Nothing

End Function

Private Function GetDistinguishedName(ByVal accountName As String) As String

    Dim nameTranslate = New ActiveDs.NameTranslate()
    nameTranslate.Set(ActiveDs.ADS_NAME_TYPE_ENUM.ADS_NAME_TYPE_NT4, accountName)

    Return nameTranslate.Get(ActiveDs.ADS_NAME_TYPE_ENUM.ADS_NAME_TYPE_1779)

End Function

    There is probably better ways of doing this but it works.

    • 0