Find a domain name in Active Directory

Question

Find a domain name in Active Directory

I am running an ASP.NET 4.0 application that uses a username (i.e. HttpContext.Current.Request.LogonUserIdentity.Name.ToString ()) to control access to various components.

The returned username is in the form "abc \ jsmith", where "abc" is the domain name and "jsmith" is the username of the user.

Part of the security module for this application addresses the Active Directory groups to which the user belongs (for example, "Accounting", "AccountsPayable", "AdminDepartment"). I can get the username from Active Directory using DirectoryEntry.Properties (ie System.DirectoryServices.PropertyCollection) "sAMAccountName" .Value.

So far so good, but I want to expand the application for several domains, which means that I need to find the domain name in Active Directory, as well as the username. I can get the "Domain" value from PrincipalContext, but it returns "abcdc" instead of "abc". Can I assume that this property will always return "dc" (as in "Domain Controller") at the end of each domain (in this case I can use the substring of the property), or is there somewhere else I can get the user the current domain name ?

+7

dns active-directory

Seattle badger Jun 07 '11 at 17:55

source share

4 answers

Here is a WMI way to find it. I give you PowerShell, but you can easily convert it to VBScript or C #

 PS C:\> (Get-WmiObject Win32_NTDomain).DomainName

Be careful, the part of the "pre windows 2000 domain" domain may be completely different from the user principal name (user @domain) for logging into Active Directory. DOMAIN - The domain name of the primary domain or the domain name of Netbios. DOMAIN is created during the creation of the domain, by default it is part of the DNS name, but it can be completely changed during the creation of the domain.

You can find it with the nETBIOSName attribute:

 ldifde -f netbios.ldf -d "CN=Partitions,CN=Configuration,DC=your-DNS-Name" -r "(netbiosname=*)"

Edited

Here is the CSharp code

 ManagementObjectSearcher domainInfos1 = new ManagementObjectSearcher("select * from WIN32_NTDomain"); foreach (ManagementObject domainInfo in domainInfos1.Get()) { Console.WriteLine("Name : {0}", domainInfo.GetPropertyValue("Name")); Console.WriteLine("Computer/domain : {0}", domainInfo.GetPropertyValue("Caption")); Console.WriteLine("Domain name : {0}", domainInfo.GetPropertyValue("DomainName")); Console.WriteLine("Status : {0}", domainInfo.GetPropertyValue("Status")); }

+3

JPBlanc Jun 07 '11 at 20:49

source share

DC stands for domain component. There seems to be a decent shorthand for programming in Active Directory here . There's a bit of a lot to make a decent copy and paste here, but I found the following that might help you:

 domainname=inputbox("Enter DNS Domain Name" & vbcrlf & "(Leave blank for current domain):") username=inputbox("Enter username:") IF domainname = "" THEN SET objRoot = GETOBJECT("LDAP://RootDSE") domainname = objRoot.GET("defaultNamingContext") END IF IF username <> "" THEN wscript.echo finduser(username,domainname) END IF FUNCTION FindUser(BYVAL UserName, BYVAL Domain) ON ERROR RESUME NEXT SET cn = CREATEOBJECT("ADODB.Connection") SET cmd = CREATEOBJECT("ADODB.Command") SET rs = CREATEOBJECT("ADODB.Recordset") cn.open "Provider=ADsDSOObject;" cmd.activeconnection=cn cmd.commandtext="SELECT ADsPath FROM 'LDAP://" & Domain & _ "' WHERE sAMAccountName = '" & UserName & "'" SET rs = cmd.EXECUTE IF err<>0 THEN FindUser="Error connecting to Active Directory Database:" & err.description ELSE IF NOT rs.BOF AND NOT rs.EOF THEN rs.MoveFirst FindUser = rs(0) ELSE FindUser = "Not Found" END IF END IF cn.close END FUNCTION

+1

Holocryptic Jun 07 '11 at 18:08

source share

You can get the users "userprincipalname". It looks like an email address, but is actually the name samaccount + @ + domain.name. It is one thing to note that an Active Directory domain looks like an Internet domain name, but the netbios domain name ("abc" from your example) does not work.

If you take UPN, I believe that it will always contain a dotted domain name.

0

uSlackr Jun 07 '11 at 18:56

source share

Jason · Accepted Answer · 2011-06-08T09:39:39+0000

One thing that I don’t understand about is your question about retrieving the domain name specified in the directory in the domain controller. I assume that you have a server that can see several trusted domains, and that the user can log into your application from any of them, so that you do not know which domain you need to check for membership in the role.

To control access to functions through membership in ADGroup, you can use

HttpContext.Current.User.IsInRole("appdomain\groupname")

where User.Identity.Name == "userdomain \ user". I am not familiar with domain trust issues, but this assumes that you can add users from a trusted domain to the domain group that you control, so you don't have to worry about the location of the domain group.

If you can’t or you have the same group name in every other domain, can you do something like this?

 HttpContext.Current.User.IsInRole(userDomainname + "\groupname")

Some moments:

if you don’t already have a large AD database, I would recommend using objects from the System.DirectoryServices.AccountManagement namespace.
I highly recommend the ADExplorer utility from Sysinternals to get a more LDAP representation of your domain (s), which helps with the chains and directory of the LDAP programming connection in general.
If you are comfortable working with interop and need to do any parsing of the LDAP string, check out this site .
Properties of System.DirectoryServices.AccountManagement. PrincipalContext.Container and System.DirectoryServices. DirectoryEntry.Path returns the LDAP connection string with the domain at the end of the string (i.e. DC = mycompany, DC = com)
Don't forget about the robust old Environment.UserDomainName and Environment.UserName (which grabs the WindowsPrincipal from the current executable thread, see Table 1: Object implemented in the CurrentPrincipal Object @ http://msdn.microsoft.com/en-us/library thread /Aa480475.aspx for an excellent table stating that the current user is in the asp.net runtime.)

** UPDATE 6/8/2011 2:15 PM **

If I understand AD correctly, the user domain is an integral part of the user object returned by AD. Extension on your example "Bob Newaccountant" ...

So, given the following 2 Domains with trust between them:

 1. "abcdc.com" CN=Users CN="Bob NewAccountant" 2. "abc.com" CN=Users CN="Local User1" OU=Applications OU=MyApplication CN=ReportReaders (Members: abcdc\BNewAccountant, abc\luser1)

You should get user information requesting the following query:

 //name parameter = domain //container parameter = distinguished name using(var ctx = new PrincipalContext( ContextType.Domain, name: "abc.com", container: "OU=MyApplication,OU=Applications,DC=abc,DC=com", "abc\serviceaccountname", "Password1")) { var officeGroup = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "ReportReaders"); foreach(Principal prin in officeGroup.GetMembers(recursive: true)) { Console.WriteLine("DistinguishedName: " + prin.DistinguishedName + " UPN: " + prin.UserPrincipalName); } //Should result in // DistinguishedName: CN=luser1,CN=Users,DC=abc,DC=com UPN: luser1@abc.com // DistinguishedName: CN=BNewAccountant,CN=Users,DC=abcdc,DC=com UPN: BNewAccountant@abcdc.com }

This way you can get the user domain through the distinguished name or userPrincipalName of the active directory property. (Note. I don’t have the settings for the two domains, so I can’t check the above code at this time.) Is this closer?

Find a domain name in Active Directory

More articles: