Using UserPrincipal.FindByIdentity and PrincipalContext with nested OU

Question

Here is what I am trying to achieve: I have a nested OU structure that is about 5 levels deep.

OU=Portal,OU=Dev,OU=Apps,OU=Grps,OU=Admin,DC=test,DC=com

I am trying to find out if the user has permissions/exists at OU=Portal.

Here's a snippet of what I currently have:

PrincipalContext domain = new PrincipalContext(
    ContextType.Domain,
    "test.com",
    "OU=Portal,OU=Dev,OU=Apps,OU=Grps,OU=Admin,DC=test,DC=com");

UserPrincipal user = UserPrincipal.FindByIdentity(domain, myusername);
PrincipalSearchResult<Principal> group = user.GetAuthorizationGroups();

For some unknown reason, the value user generated from the above code is always null. However, if I were to drop all the OU as follows:

PrincipalContext domain = new PrincipalContext(
    ContextType.Domain,
    "test.com",
    "DC=test,DC=com");

UserPrincipal user = UserPrincipal.FindByIdentity(domain, myusername);
PrincipalSearchResult<Principal> group = user.GetAuthorizationGroups();

this would work just fine and return me the correct user. I am simply trying to reduce the number of results as opposed to getting everything from AD.

Is there anything that I am doing wrong? I've Googled for hours and tested various combinations without much luck.

Answer 1

Well, if

UserPrincipal.FindByIdentity(context, identityType, username) == null

then the user has not been found, which in your case probably is, because the user isn't defined in the OU= you are setting as container in your Context.

Answer 2

After much exploring, experimentation, googling and searching through stack overflow; it appears that .NET does not have a built in method to 'read' a particular OU that has a reference to an external Group that contains users as its members. Unfortunately, the suggested and recommended solution is to retrieve at domain level and perform some form of custom filtering.

Answer 3

Is the user you're looking for inside OU=Portal,OU=Dev,OU=Apps,OU=Grps,OU=Admin,DC=test,DC=com ?

What does your user object look like after your second search? What is it's DistinguishedName property?

The search you have in your first example will only search for objects inside that sub-sub-sub-sub-OU (the OU=Portal, .... that you have).

If your user exists in some other OU, then you have to search from the top of the domain - or inside the OU where the user actually exists (or any of its parents).

Answer 4

The user does not exist there, or you would not get null returned.

What is your end game? What do you mean by:

I am trying to find out if the user has permissions at OU=Portal.

What type of permissions are you looking for? Admin delegation?

Answer 5

Hope this is of some help, I was having the same problem trying to retrieve groups from a nested OU. The structure of the ou was Groups > WebGroups. So I was writing the following...

var ctx = new PrincipalContext(ContextType.Domain, "domain", "OU=Groups,OU=WebGroups,DC=domain,DC=ie", "username", "password")

Turns out the order matters, WebGroups has to come first. When I changed it to the following my code worked...

var ctx = new PrincipalContext(ContextType.Domain, "domain", "OU=WebGroups,OU=Groups,DC=domain,DC=ie", "username", "password")

So I'm assuming you'd have to write "OU=Admin,OU=Groups... OU=Portal" to get yours working.