Extended DN
Queries
An Extended DN query allows us to retrieve the
formatted GUID and security identifier (SID) of an object as well
as the normal DN when retrieving objects in the domain. Typically,
the DN is returned in the traditional format:
CN=Someone,CN=Users,DC=domain,DC=com
However, when we set the
DirectorySearcher
's
ExtendedDN
property to either
the
Standard
or the
HexString
value, the extended
DN search feature is enabled and our DNs will look like this:
<GUID=01a3e601-7b3a-42f1-8b25-f5cc2dc41565>;
<SID=S-1-5-21-329068152-1454471165-1417001333-227109>;
CN=Someone,CN=Users,DC=domain,DC=com
...or this:
<GUID=01e6a3013a7bf1428b25f5cc2dc41565>;
<SID=010500000000000515000000782e9d13fd77b15675b9755425770300>;
CN=Someone,CN=Users,DC=domain,DC=com
The DN now includes a semicolon-delimited list
of the GUID and SID DN syntaxes that we described in Chapter 3, in
addition to the traditional DN. Note that only objects that are
security principalsfor example, users and groupshave a SID, so the
SID is included only with these types of objects. The GUID is
always returned, as every object has an
objectGUID
attribute.
Listing 5.8 shows a simple example.
Listing 5.8. Using
the ExtendedDN Query
string adsPath = "LDAP://DC=domain,DC=net";
//Create our SearchRoot
DirectoryEntry entry = new DirectoryEntry(
adsPath,
null,
null,
AuthenticationTypes.Secure
);
using (entry)
{
//Create our searcher
DirectorySearcher ds = new DirectorySearcher(
entry,
"(sAMAccountName=User1)", //find 'User1'
new string[] { "distinguishedName" }
);
//Specify the Standard Syntax
ds.ExtendedDN = ExtendedDN.Standard;
SearchResult sr = ds.FindOne();
string dn =
sr.Properties["distinguishedName"][0].ToString();
//ExtendedDN is in
//"<GUID=XXX>;<SID=XXX>;distinguishedName" format
string[] parts = dn.Split(new char[]{';'});
//Output each piece of the extended DN
foreach (string part in parts)
{
Console.WriteLine(part);
}
}
//OUT: <GUID=4fe5eed1-e8a5-4831-af3f-0be590f879ca>;
// <SID=S-1-5-21-4089392435-310822506-2481186512-1115>;
// CN=User1,OU=Domain Users,DC=domain,DC=net
|
Given that we must manually parse the returned
values for each DN to find the GUID or SID, why is this even
useful? Well, sometimes we might want to return the GUID and SID
for each object returned in the search, and this method is
definitely more efficient than binding to each object and
retrieving the GUID or SID from the
DirectoryEntry
.
Had this functionality been exposed in .NET 1.x,
it would have given us a nice way to get the string format of a SID
without using P/Invoke. However, in .NET 2.0, this is an easy task
now with the
SecurityIdentifier
class. We expect to need
the
ExtendedDN
feature much less often than most of the
other advanced features available to us.
Warning: ExtendedDN Requires Windows 2003
Clients!
As of this writing, the ADSI code that supports
ExtendedDN
is implemented only in the Windows Server 2003
version of the ADSI library. This means that we cannot use Windows
XP workstations or lower for issuing
ExtendedDN
queries
with
DirectorySearcher
. Attempting to use
ExtendedDN
on an unsupported platform will result in an
InvalidOperationException
from
DirectorySearcher
.
|
