Extended DN Queries

An Extended DN query allows us to retrieve the formatted GUID and security identifier (SID) of an object as well as the normal DN when retrieving objects in the domain. Typically, the DN is returned in the traditional format:


However, when we set the DirectorySearcher's ExtendedDN property to either the Standard or the HexString value, the extended DN search feature is enabled and our DNs will look like this:


...or this:


The DN now includes a semicolon-delimited list of the GUID and SID DN syntaxes that we described in Chapter 3, in addition to the traditional DN. Note that only objects that are security principalsfor example, users and groupshave a SID, so the SID is included only with these types of objects. The GUID is always returned, as every object has an objectGUID attribute.

Listing 5.8 shows a simple example.

Listing 5.8. Using the ExtendedDN Query

string adsPath = "LDAP://DC=domain,DC=net";

//Create our SearchRoot
DirectoryEntry entry = new DirectoryEntry(

using (entry)
 //Create our searcher
 DirectorySearcher ds = new DirectorySearcher(
 "(sAMAccountName=User1)", //find 'User1'
 new string[] { "distinguishedName" }

 //Specify the Standard Syntax
 ds.ExtendedDN = ExtendedDN.Standard;

 SearchResult sr = ds.FindOne();

 string dn =

 //ExtendedDN is in
 //";;distinguishedName" format
 string[] parts = dn.Split(new char[]{';'});

 //Output each piece of the extended DN
 foreach (string part in parts)

//OUT: ;
// ;
// CN=User1,OU=Domain Users,DC=domain,DC=net

Given that we must manually parse the returned values for each DN to find the GUID or SID, why is this even useful? Well, sometimes we might want to return the GUID and SID for each object returned in the search, and this method is definitely more efficient than binding to each object and retrieving the GUID or SID from the DirectoryEntry.

Had this functionality been exposed in .NET 1.x, it would have given us a nice way to get the string format of a SID without using P/Invoke. However, in .NET 2.0, this is an easy task now with the SecurityIdentifier class. We expect to need the ExtendedDN feature much less often than most of the other advanced features available to us.

Warning: ExtendedDN Requires Windows 2003 Clients!

As of this writing, the ADSI code that supports ExtendedDN is implemented only in the Windows Server 2003 version of the ADSI library. This means that we cannot use Windows XP workstations or lower for issuing ExtendedDN queries with DirectorySearcher. Attempting to use ExtendedDN on an unsupported platform will result in an InvalidOperationException from DirectorySearcher.

Reading Security Descriptors with Security Masks

Part I: Fundamentals

Introduction to LDAP and Active Directory

Introduction to .NET Directory Services Programming

Binding and CRUD Operations with DirectoryEntry

Searching with the DirectorySearcher

Advanced LDAP Searches

Reading and Writing LDAP Attributes

Active Directory and ADAM Schema

Security in Directory Services Programming

Introduction to the ActiveDirectory Namespace

Part II: Practical Applications

User Management

Group Management


Part III: Appendixes

Appendix A. Three Approaches to COM Interop with ADSI

Appendix B. LDAP Tools for Programmers

Appendix C. Troubleshooting and Help


The. NET Developer's Guide to Directory Services Programming
The .NET Developers Guide to Directory Services Programming
ISBN: 0321350170
EAN: 2147483647
Year: 2004
Pages: 165

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net