DirectoryEntry Invoke method name required for getting Authorization Groups

I am using the below method of DirectoryEntry

https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.directoryentry.invoke?view=netframework-4.7.2

I am trying to fetch the AuthorizationGroups using the invoke method. I used the below method

          object obGroups = de.Invoke("Groups");
                            foreach (object ob in (IEnumerable)obGroups)
                            {
                                // name of group
                                obGpEntry.Name;
                            }

But this will not return all active directory groups. I need to get all Authorization Groups the user belongs to

Any idea which is the method name needs to be used for that

1 answer

  • answered 2019-02-08 13:28 Gabriel Luci

    Using .Invoke("Groups") calls the Windows native IADSUser::Groups method. It only gets the direct membership (not nested groups) and does not give you the primary group. I'm not entirely sure where it's getting that information from, so I couldn't say for certain what it does and doesn't give you.

    Are you trying to find the groups for the current user (the user currently logged in)? Because there are other ways to do it that let you read the groups from the authentication token. In both ASP.NET and a desktop app you can use UserPrincipal.GetAuthorizationGroup().

    But otherwise, you could use the tokenGroups attribute, which gives you all nested security groups for the purposes of authorization:

    de.RefreshCache(new [] {"tokenGroups"});
    var groups = de.Properties["tokenGroups"];
    

    However that gives you the SID of the groups, which may not be immediately helpful if you want the names.

    There are a few ways to tackle getting all of a user's groups, which depends on how much information you're after and your environment. I wrote an article about this very thing with several sample methods: Active Directory: Finding all of a user’s groups