How would I get users from an AD Group which contains users from different domains.
For example, I have 2 domains in my active directory, Domain1.corp.com and Domain2.corp.com
I have an AD group called TestGroup which contains users from both the domains.
Domain1 users: TestUser1, TestUser2
Domain2 users: TestUser3, TestUser4, TestUser5
TestGroup users: TestUser1, TestUser2, TestUser3, TestUser5
Following could would return only Domain1 users.
string domainname = "Domain1.corp.com:3268";
string usernames = String.Empty;
using (var p_context = new PrincipalContext(ContextType.Domain, domainname))
{
using (var group = GroupPrincipal.FindByIdentity(context, "TestGroup"))
{
var users = group.GetMembers(false);
foreach (var user in users)
{
username = username + ", " + user.SamAccountName;
}
}
}
When returning the username variable, I would see users from only Domain1.Am I missing anything over here? My IIS server is located in the Domain1.corp.com
I verified that the server had access to the other domain by running a powershell script which returned users located in both the domains.
get-adgroupmember "TestGroup" -recursive
You need to use the underlying
System.DirectoryServices.DirectoryEntryfor the group:(Note: according to MSDN GetUnderlyingObject() will return a
DirectoryEntry, even though the return type isobject.)From there you can get the member distinguished names:
The users from the other domain are Foreign Security Principals so the distinguished name will be in the form
CN={SecurityIdentifier},CN=ForeignSecurityPrincipals. You can extract the Security Identifier and search for the user on the other domain/s in order to get the rest of their details. Unfortunately this does mean you need to connect to both domains, which can be slow.