In my organisation I have been coding a small application that fetches users from our corporate AD. _Until now I have been using a colection of OU’s to get users from different locations in our AD. However now our IT department has organized the users in security groups. It is common practice for security administrators to create hierarchies of security groups, which allows for easier membership management.
The requirement I faced was that whatever privileges were granted to members of a security group, those privileges apply to any members of security groups found downstream in the hierarchy. This is also a commonly used concept. It was necessary for me to find the security group in AD (represented as a single directory entry) and then drill down into each level of the group hierarchy and find all user members of all associated security groups. I will try to boil it all down to an “easy to go through” article.
My point of entry was this MSDN blogpost – thanks for the inspiration. However I quickly noticed that the code samples lacked a lot of code in order for me to produce a working proof of concept application.
Googling the parts that were missing I actually managed to combine all into a working sample – feel free to download it from here.
Here is how it works:
- Looking at the “Tester” project You’ll notice that it contains a simple main method
- The magic happens in the “ADUserFromSecGroupsPOC” class when calling the method “GetADSecurityGroupUsers” method parsing the security group used as single point of entry.
- From this security group we will drilldown adding ONLY user accounts from all nested levels. If the type of the member is a security group, the method will recurse and get the members for this new security group: