Home/ Questions/Q 3395990
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T04:21:16+00:00

I am trying to do a very simple AD query to see if a

  • 0

I am trying to do a very simple AD query to see if a computer is in a group. The following code seems intuitive enough but does not work. The LDAPString is a fully distinguised name for the group that the computer referenced by NetBIOSName is a memberOf. 

public bool IsComputerInADGroup(String LDAPString, String NetBIOSName)
{
    using (DirectoryEntry entry = new DirectoryEntry(String.Format(@"LDAP://{0}", LDAPString)))
    using (DirectorySearcher computerSearch = new DirectorySearcher(entry))
    {
        ComputerSearch.Filter = String.Format("(&(objectCategory=computer)(CN={0}))", NetBIOSName);
        SearchResult match = ComputerSearch.FindOne();

        if (match != null)
        {
            return true;
        }
    }

    return false;
}

Can someone please explain why this is incorrect and what the correct/fastest way to to perform this search is.

Thanks
P

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your basic assumption is wrong – a computer (or user) cannot be in a group implying “containment” inside a group; a user or computer is only inside an OU.

    A user or computer can be member of any number of groups – but you need to check this against the member property of the group (or the memberOf attribute of the element that is a member of that group).

    So the easiest way, really, is to

    • bind to the object in question
    • refresh its property cache to get the latest entries in memberOf
    • enumerate of its memberOf entries and see if the group you’re looking for is present

    Something like:

     public static bool IsAccountMemberOfGroup(string account, string group)
 {
    bool found = false;

    using (DirectoryEntry entry = new DirectoryEntry(account))
    {
        entry.RefreshCache(new string[] { "memberOf" });

        foreach (string memberOf in entry.Properties["memberOf"])
        {
           if (string.Compare(memberOf, group, true) == 0)
           {
              found = true;
              break;
           }
        }
    }

    return found;
 }

    Call this like so:

    bool isMemberOf = 
     IsAccountMemberOfGroup("LDAP://cn=YourComputer,dc=Corp,dc=com",
                            "CN=yourGroupInQuestion,OU=SomeOU,dc=corp,dc=com");

    and you should be fine.

    Update: if you’re on .NET 3.5, you could also use the new System.DirectoryServices.AccountManagement namespace and LINQ to make things even easier:

    public static bool IsAccountMemberOfGroup2(PrincipalContext ctx, string account, string groupName)
{
   bool found = false; 
   GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, groupName);

   if (group != null)
   {
      found = group.GetMembers()
                 .Any(m => string.Compare(m.DistinguishedName, account, true) == 0);
   }

   return found;
}

    and call this:

    // establish default domain context    
PrincipalContext domain = new PrincipalContext(ContextType.Domain);

// call your function
bool isMemberOf = 
   IsAccountMemberOfGroup2(domain, 
                           "cn=YourComputer,dc=Corp,dc=com",
                           "CN=yourGroupInQuestion,OU=SomeOU,dc=corp,dc=com");
    • 0