How to Retrieve Active Directory Data With ASP.NET C#

By -Danny B.
Posted on July 24, 2020July 25, 2023
Posted in ASP.NET Core, ASP.NET Core Web API, ASP.NET Web API

Table of Contents

Introduction

Welcome to our blog! In today’s post. This is a quick How-To for programmatically getting information from Active Directory. Using ASP.NET C#, there is a way to list all the groups a user is a member of. Active Directory, a directory service developed by Microsoft, plays a crucial role in managing users, groups, and resources within a network environment. As organizations grow and their user bases expand, efficiently managing group memberships becomes vital. Thanks to the capabilities of ASP.NET C# and the Active Directory services, we’ll demonstrate a practical method to retrieve and display the groups a user belongs to, providing administrators with valuable insights into user access and permissions. So, let’s dive in!
The examples below have been updated to work with ASP.NET C# Web API and ASP.NET C# Core Web API 7.0.

How to get the AD Groups by Username.

Example I

Add the following function to your controller. The username string could be something like johns or jsmith for user John Smith. The function below returns an array of group names and no other information.

Import the following:

using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;

Code for private static method to get the group names for an individual user.

private static string[] GetGroups(string username)
{
    string[] output = null;

    using (var ctx = new PrincipalContext(ContextType.Domain))
    using (var user = UserPrincipal.FindByIdentity(ctx, username))
    {
        if (user != null)
        {
            output = user.GetGroups() 
                    .Select(x => x.SamAccountName).ToArray(); 
        }
    }

    return output;
}

The API Action can call the function above.

 var ADGroups = GetGroups(Username);
// .....................
// Then return it as a list
 return new { ADGroups = ADGroups };

How to get the users from an AD Group.


[Route("getADusers/{group}")]
public object getADGroupUsers(string group)
{
    try
    {                
        string ADDomain= @"DOMAIN-NAME";
        List<string> userList = new List<string>();

        using (var context = new PrincipalContext(ContextType.Domain, ADDomain))
        {
            using (var grouplist = GroupPrincipal.FindByIdentity(context, group))
            {
                if (grouplist == null)
                {

                }
                else
                {
                    var users = grouplist.GetMembers(true);
                    foreach (UserPrincipal user in users)
                    {
                        DirectoryEntry de = user.GetUnderlyingObject() as DirectoryEntry;
                        string fname = de.Properties["name"].Value.ToString();

                        userList.Add(fname);
                    }
                }
            }

        }

        return Ok(userList);

    }
    catch (Exception e)
    {
        return BadRequest(e.Message);
    }
}

Example II

Another way is to list all of the group columns. This will return more than the group names.


public List<GroupPrincipal> GetGroups(string userName)
{
    List<GroupPrincipal> result = new List<GroupPrincipal>();

    // establish domain context
    PrincipalContext yourDomain = new PrincipalContext(ContextType.Domain);

    // find your user
    UserPrincipal user = UserPrincipal.FindByIdentity(yourDomain, userName);

    // if found - grab its groups
    if (user != null)
    {
        PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();

        // iterate over all groups
        foreach (Principal p in groups)
        {
            // make sure to add only group principals
            if (p is GroupPrincipal)
            {
                result.Add((GroupPrincipal)p);
            }
        }
    }

    return result;
}

Get User Display Names From an AD Group

Import the following:

using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;

Using the GroupPrincipal.FindByIdentity(context, group) we can get list of entries for an AD group. Then loop through the goups list and extract the display names with System.DirectoryServices.DirectoryEntry and System.DirectoryServices.DirectoryEntry.Properties[“name”].Value

private static string[] GetGroupUserss(string group)
{
    string YOURDomain = @"DOMAINNAME";
    List<string> userList = new List<string>();

    using (var context = new PrincipalContext(ContextType.Domain, CCDOADomain))
    {
        using (var grouplist = GroupPrincipal.FindByIdentity(context, group))
        {
            if (grouplist == null)
            {
                userList = null;
            }
            else
            {
                var users = grouplist.GetMembers(true);
                foreach (UserPrincipal user in users)
                {
                    if (user != null)
                    {

                        System.DirectoryServices.DirectoryEntry de = user.GetUnderlyingObject() as System.DirectoryServices.DirectoryEntry;
                        string fname = (string)de.Properties["name"].Value;                                
                        userList.Add(fname);
                    }                            
                }

            }
        }
        return userList.ToArray();

    }
}

Full Stack Soup