I have a situation where I need to find AD groups of a user recursively.
For Example :
I have such group hierarchy -
Group1
|_
Group2
|_
Group3
|_
UserA
According to the hierarchy, Groups of UserA are Group1, Group2, Group3
For finding it through the code I have used following method :
Dim UserP1 As UserPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, Remote_ID)
allrecursiveUserGroups = UserP1.GetAuthorizationGroups()
This method would give me all the groups recursively, but it is failing for one user and giving the exception as follows:
'System.DirectoryServices.AccountManagement.PrincipalOperationException' occurred in System.DirectoryServices.AccountManagement.dll
Additional information: While trying to retrieve the authorization groups, an error (1358) occurred.
Here is the complete StackTrace :
System.DirectoryServices.AccountManagement.PrincipalOperationException was unhandled ErrorCode=0 HResult=-2146233087 Message=While trying to retrieve the authorization groups, an error (1358) occurred. Source=System.DirectoryServices.AccountManagement
StackTrace: at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p) at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups()
Another method which I used is :
Dim UserP1 As UserPrincipal = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, Remote_ID)
Dim grps = UserP1.GetGroups
This is not throwing any exception and running perfectly for all Users but it only returns immediate groups i.e. Group3 in my case
The problem that I am facing with GetAuthorisationGroups is presence of special characters in Distinguished Name that I got by UserPrincipal.
The problem here is when [Distinguished Name][2] of UserPrincipal contains special characters (a comma in my case) then it throws exception.
In my case the distinguished name is :
CN=Smith\, John,DC=mydomain,DC=com
Here backward slash has been used as escape character which is added by UserPrincipal itself.
If [Distinguished Name][2] doesn't contain any special character the function [GetAuthorizationGroups()][1] works fine. e.g.
CN=Smith John,DC=mydomain,DC=com
What is the reason of the problem and is there any solution available for this?
What am I missing in my First Approach of using GetAuthorizationGroups() method?
What is the reason for error code 1358?
Is there any other good way of finding groups recursively other than GetAuthorisationGroups() of class UserPrincipal