The .NET Developer's Guide to Directory Services Programming

Author: Joe Kaplan, Ryan Dunn
All Stack Overflow 14


by anonymous   2017-08-20

If you're using .NET 3.5 (or you can update to it), check out the System.DirectoryServices.AccountManagement namespace - makes a lot of things a lot easier.

Read up on it: Managing Directory Security Principals in the .NET Framework 3.5 and check out all the properties surfaced by the new UserPrincipal class in .NET 3.5.

The other place I'd recommend is Richard Mueller's web site - he has lots of Excel sheets which show all the AD / LDAP attributes, where on the interactive tools you'll find those, and so forth. Highly useful!

Combine those two resources, and you should be able to do whatever it is you need to do!

Update: if you cannot update to .NET 3.5 (which is really just like a service pack on top of .NET 2....), you would have to do the following steps:

  • import the CSV into a List<CSVRecord> - I'd use the free FileHelpers library to do that; your CSVRecord would hold the three fields in your CSV file
  • create a DirectorySearcher class based on your search root (your domain or a sub-container thereof); find the correct LDAP search filter to find your user by EmployeeId

  • loop over the entries in your list, and for each entry

    • search the directory for that user
    • if found: grab the DirectoryEntry from your SearchResult and update the two attributes
    • call .CommitChanges() on that DirectoryEntry

I don't think there's any other way, really, to do this - there's no magic way to select all users at once, or update them all at once.

Update #2:
Here are some resources you can check out:

and the ultimate book on the subject:

Joe Kaplan / Ryan Dunn: The .NET Developer's Guide to Directory Services Programming

alt text

by anonymous   2017-08-20

Of course, you can do it in System.DirectoryServices.

I think what you really need is to learn how to use System.DirectoryServices. If you don't have a good book yet, I recommend this one.

It's not that hard, really. You just need to master two classes, DirectoryEntry and DirectorySearcher. DirectoryEntry is representing a LDAP object on the LDAP server. Assuming you have sufficient permissions, you can make changes on any LDAP object, including the contact object using DirectoryEntry. Each LDAP object has a number of attributes. TWo important attributes you need to know are objectCategory and objectClass. For the contact object, the objectCategory should be person and objectClass should be contact. You may also like to check the "targetAddress" attribute on the contact object, which stores the email address. There are a bunch of Exchange extended attributes on contact object. You probably like to check each of them one by one. To browse the objects on LDAP server, you can use a tool like AD Explorer or ADSI Edit

To do a search, you need to provider four things to DirectorySearcher.

  1. Search root
  2. LDAP search filter
  3. Search Scope
  4. Returned attributes

If your machine is already joined to a domain and you are logging in as a domain user, here is a sample on how to list out all contacts in your domain.

DirectoryEntry rootDSE = new DirectoryEntry("LDAP://RootDSE");
string domainContext = rootDSE.Properties["defaultNamingContext"].Value as string;
DirectoryEntry searchRoot = new DirectoryEntry("LDAP://" + domainContext);
using (DirectorySearcher searcher = new DirectorySearcher(
    new string[] {"targetAddress"}, 
    foreach (SearchResult result in searcher.FindAll())
        foreach (string addr in result.Properties["targetAddress"])

The first three lines are to help you to find the correct LDAP path to the root of your domain. It works only if you are logging in as a domain user. If you know the correct LDAP path of your domain, you can just feed it into DirectoryEntry directly.

I put all four parameters into DirectorySearcher. When you are getting familiar with Directory Services programming, you can skip some of them and .NET will provide a default value for you.

The result returned from DiectorySearcher is SearchResult. Note that SearchResult always return a collection of objects to you even though targetAddress is not a multivalue attribute. It's because some of the attributes on the LDAP object may be multi-value.

Another important information you can get from SearchResult is the Path. You can create a DirectoryEntry object using this Path later. To update your contact object, you need to use its Properties method and CommitChanges method.

DirectoryEntry de = new DirectoryEntry(result.Path);
de.Properties["targetAddress"].Value = "";

Finally, you can actually easily find a lot of online tutorial on both DirectorySearcher and DirectoryEntry. Try google it.

by anonymous   2017-08-20

Working with Active Directory, even with the help of the DirectorySearcher class, is no mean feat. It is not a task to be taken lightly. If you haven't done it before, I'd read up on it before attempting to do so.

I highly recommend The .NET Developer's Guide to Directory Services Programming.

That being said, the classes in the DirectoryServices namespace do some of the work for you, but certainly nowhere near enough of it.