locked
Searching AD with distinguished name RRS feed

  • Question

  • I'm having difficulty in searching Active Directory using the distinguished name.  Each search returns null.  I'm trying to get the members of a particular group so that I can send them a report via email (SSRS).  It seems that the member property of a Group object contains only a list of strings (distinguished names) of the members.  When I use the dn string to query Active Directory, the DirectorySearcher object always returns null for the SearchResult.  Is there some special syntax I need to use when querying using the distinguished name?

    I'm tying to implement this in C#.

    Tuesday, January 18, 2011 4:29 PM

Answers

  • No special syntax, except that some characters must be escaped. In particular, if the DN has embedded commas, they must be escaped with the backslash escape character. For example, the filter might be:

    (distinguishedName=cn=Smith\, William,ou=West,dc=MyDomain,dc=com)

    Also, there should be no need to use DirectorySearcher. You should able to create a DirectoryEntry object directly, using the ADsPath of the object. Maybe we need to see a snippet of your code.

    Richard Mueller


    MVP ADSI
    • Marked as answer by Ira Davis Tuesday, January 18, 2011 4:52 PM
    • Unmarked as answer by Ira Davis Tuesday, January 18, 2011 5:12 PM
    • Marked as answer by Ira Davis Tuesday, January 18, 2011 6:15 PM
    Tuesday, January 18, 2011 4:42 PM
  • In the example I gave earlier, the distinguished name is:

    cn=Smith\, William,ou=West,dc=MyDomain,com

    You are correct that when creating a Directory Entry you must use the ADsPath, which includes the provider moniker, usually LDAP:. The ADsPath in my example would be:

    LDAP://cn=Smith\, William,ou=West,dc=MyDomain,com

    Another possible provider would be GC:, which refers to the Global Catalog. You might use this if the attribute values you seek to retrieve are replicated to the GC. Another possible provider is WinNT:, but that is usually used for objects in the local SAM account database.

    Richard Mueller


    MVP ADSI
    • Marked as answer by Ira Davis Tuesday, January 18, 2011 9:11 PM
    Tuesday, January 18, 2011 7:51 PM

All replies

  • No special syntax, except that some characters must be escaped. In particular, if the DN has embedded commas, they must be escaped with the backslash escape character. For example, the filter might be:

    (distinguishedName=cn=Smith\, William,ou=West,dc=MyDomain,dc=com)

    Also, there should be no need to use DirectorySearcher. You should able to create a DirectoryEntry object directly, using the ADsPath of the object. Maybe we need to see a snippet of your code.

    Richard Mueller


    MVP ADSI
    • Marked as answer by Ira Davis Tuesday, January 18, 2011 4:52 PM
    • Unmarked as answer by Ira Davis Tuesday, January 18, 2011 5:12 PM
    • Marked as answer by Ira Davis Tuesday, January 18, 2011 6:15 PM
    Tuesday, January 18, 2011 4:42 PM
  • In general, you should be able to carry out AD query based on the distinguishedName (check http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/e2c5c909-5c71-49ca-a12f-a5d373f47bdd for some examples). For starters, make sure that the format you are using is correct (one way to do this would be to use methods described in the above link and verify whether the search is successful). If so, then you might want to try MSDN forum and post the code you are using...

    hth
    Marcin

    Tuesday, January 18, 2011 4:44 PM
  • This gave me access to the User object.  Thanks.
    Tuesday, January 18, 2011 4:52 PM
  • Thanks for the quick response.  What I'm trying to do is setup a data driven subscription for a SQL Server Reporting Services report.  I can run a SQL query to get the list of email addresses.  The users will be in select Active Directory groups.  I didn't think I could get this information without writing a stored procedure in .NET to query Active Directory for the group members and then get their email addresses.  Long story short, I need to get the email address of each member of a group.
    Tuesday, January 18, 2011 4:59 PM
  • This returned a DirectoryEntry but the underlying object threw a COMException.  Seems like I'm back at square one.

    Tuesday, January 18, 2011 5:21 PM
  • It seems there is some additional information needed to get the actual Directory Entry when using the distinguished name.  You have to preface the dn with "LDAP://" before passing this to the DirectoryEntry constructor. 
    Tuesday, January 18, 2011 6:14 PM
  • In the example I gave earlier, the distinguished name is:

    cn=Smith\, William,ou=West,dc=MyDomain,com

    You are correct that when creating a Directory Entry you must use the ADsPath, which includes the provider moniker, usually LDAP:. The ADsPath in my example would be:

    LDAP://cn=Smith\, William,ou=West,dc=MyDomain,com

    Another possible provider would be GC:, which refers to the Global Catalog. You might use this if the attribute values you seek to retrieve are replicated to the GC. Another possible provider is WinNT:, but that is usually used for objects in the local SAM account database.

    Richard Mueller


    MVP ADSI
    • Marked as answer by Ira Davis Tuesday, January 18, 2011 9:11 PM
    Tuesday, January 18, 2011 7:51 PM
  • Thanks for your answer (and to the others who've responded).  I do appreciate your willingness to help.  Is there some document or book on Active Directory that you would recommend for someone more than a novice but obviously not deep enough in the technology?
    Tuesday, January 18, 2011 9:10 PM
  • I don't know about any C# books, but for VBScript scripting in AD I refer to "Microsoft Windows 2000 Scripting Guide, Automating System Administration". The text is available online at:

    http://technet.microsoft.com/en-us/library/ee221103.aspx

    For PowerShell I refer to "PowerShell In Practice", by Richard Siddaway (Manning Publications 2010), which covers PowerShell, Active Directory, Exchange, DNS, SQL Server, etc. A book like "Windows Server 2008, Administrator's Pocket Consultant" is a good reference for AD, but doesn't cover issues like ADsPath or providers or coding.

    Richard Mueller


    MVP ADSI
    Tuesday, January 18, 2011 9:43 PM