Extended DN Queries
An Extended DN query allows us to retrieve the formatted GUID and security identifier (SID) of an object as well as the normal DN when retrieving objects in the domain. Typically, the DN is returned in the traditional format:
CN=Someone,CN=Users,DC=domain,DC=com
However, when we set the DirectorySearcher's ExtendedDN property to either the Standard or the HexString value, the extended DN search feature is enabled and our DNs will look like this:
; ; CN=Someone,CN=Users,DC=domain,DC=com
...or this:
; ; CN=Someone,CN=Users,DC=domain,DC=com
The DN now includes a semicolon-delimited list of the GUID and SID DN syntaxes that we described in Chapter 3, in addition to the traditional DN. Note that only objects that are security principalsfor example, users and groupshave a SID, so the SID is included only with these types of objects. The GUID is always returned, as every object has an objectGUID attribute.
Listing 5.8 shows a simple example.
Listing 5.8. Using the ExtendedDN Query
|
string adsPath = "LDAP://DC=domain,DC=net"; //Create our SearchRoot DirectoryEntry entry = new DirectoryEntry( adsPath, null, null, AuthenticationTypes.Secure ); using (entry) { //Create our searcher DirectorySearcher ds = new DirectorySearcher( entry, "(sAMAccountName=User1)", //find 'User1' new string[] { "distinguishedName" } ); //Specify the Standard Syntax ds.ExtendedDN = ExtendedDN.Standard; SearchResult sr = ds.FindOne(); string dn = sr.Properties["distinguishedName"][0].ToString(); //ExtendedDN is in //";;distinguishedName" format string[] parts = dn.Split(new char[]{';'}); //Output each piece of the extended DN foreach (string part in parts) { Console.WriteLine(part); } } //OUT: ; // ; // CN=User1,OU=Domain Users,DC=domain,DC=net |
Given that we must manually parse the returned values for each DN to find the GUID or SID, why is this even useful? Well, sometimes we might want to return the GUID and SID for each object returned in the search, and this method is definitely more efficient than binding to each object and retrieving the GUID or SID from the DirectoryEntry.
Had this functionality been exposed in .NET 1.x, it would have given us a nice way to get the string format of a SID without using P/Invoke. However, in .NET 2.0, this is an easy task now with the SecurityIdentifier class. We expect to need the ExtendedDN feature much less often than most of the other advanced features available to us.
Warning: ExtendedDN Requires Windows 2003 Clients!
As of this writing, the ADSI code that supports ExtendedDN is implemented only in the Windows Server 2003 version of the ADSI library. This means that we cannot use Windows XP workstations or lower for issuing ExtendedDN queries with DirectorySearcher. Attempting to use ExtendedDN on an unsupported platform will result in an InvalidOperationException from DirectorySearcher.
Reading Security Descriptors with Security Masks
|