Wednesday, March 02, 2005

Get AD objects by GUID using System.DirectoryServices

All objects in ActiveDirectory are uniquely identified by their distinguishedName or objectGuid attributes. One of these identifiers are typically used to store references to an AD object and to retrieve it. The strenght of the GUID is that it stays the same even when an object is moved and thus gets a new distinguishedName. We typically stores an AD object GUID in a SQL Server database in the standard .NET GUID format (DirectoryEntry.Guid) in uniqueidentifier columns.

Searching for an object by a standard .NET GUID using the DirectorySearcher class is not as straightforward as you may think. A GUID must be formatted as an "octet string" (ActiveDirectory native format) to be able to use it in a DirectorySearcher filter as a filter clause. I have used this function to convert a standard GUID string to an octet string:

public static string Guid2OctetString(string objectGuid)
{
System.Guid guid = new Guid(objectGuid);
byte[] byteGuid = guid.ToByteArray();
string queryGuid = "";
foreach(byte b in byteGuid)
{
queryGuid += @"\" + b.ToString("x2");
}
return queryGuid;
}

Note that if you have a DirectoryEntry object instead of just a standard GUID string, then the .NativeGuid will give you the octet string.

All AD objects have a specific class such as "user", "contact" or "group", which helps on narrowing the number of entries to search through. Always apply an objectClass filter in your AD searches. With the GUID, octet string method and the objectClass at hand, looking up the AD object is done like this:

. . .
string adPath = "LDAP://DC=myco,DC=local"
DirectoryEntry adRoot = new DirectoryEntry(adPath);
Object adsiObj = adRoot.NativeObject; //Bind to the native AdsObject to force authentication

DirectorySearcher adSearch = new DirectorySearcher(adRoot);
string queryGuid = Guid2OctetString(objectGuid);
adSearch.Filter = "(&(objectClass=" + objectClass + ")(objectGUID=" + queryGuid + "))";

SearchResult adResults = adSearch.FindOne();
adObject = adResults.GetDirectoryEntry();
. . .

Applying a GUID filter clause to the objectGUID attribute in this example is just for illustration purposes.

To lookup the AD object identified by the GUID simply use the octet string (.NativeGuid) in the DirectoryEntry constructor (see Binding Using GUID in the DirectoryService SDK):

DirectoryEntry adObject= new DirectoryEntry("LDAP://<" + "GUID=" + nativeGuid + ">")

Please let me know if the .NET Guid .ToString() has a format argument I have missed that produces the octet string format.

Posted by at
Labels: ,

9 comments:

Anonymous said...

It's exactly I was looking for.

Thanks !

April 3, 2006 at 4:54 PM
Anonymous said...

This article helped me and saved my time. Thanks.

July 12, 2006 at 6:16 PM
Anonymous said...

Thank you!

May 11, 2007 at 1:04 AM
Harlan Crystal said...

Question:

When you are binding to a guid directly (e.g., new DirectoryEntry("LDAP://<GUID="+nativeguidstr+">"))
how does this directory entry know which AD-server & authentication to use?

October 23, 2007 at 11:03 PM
ANP said...

I have tried DirectoryEntry("LDAP://" + domainName + "/<GUID=" + nativeguidstr + ">")), but it does not work as well. So the only way to specify AD domain is to use DirectorySearcher as described. Many thanks to author!

June 3, 2008 at 12:07 PM
Dannygibor said...

Well done. Works great!

June 15, 2009 at 5:57 PM
Anonymous said...

Joe Kaplan has a good solution to this Problem. And a solution with the GUI to Octet String Problem.
http://www.dotnetmonster.com/Uwe/Forum.aspx/asp-net-security/1595/Binding-DirectoryEntry-to-AD-object-via-GUID

March 3, 2010 at 10:59 AM
Anonymous said...

Thanks!

September 25, 2013 at 1:50 PM
Anonymous said...

Works great!

Thanks

September 18, 2015 at 10:21 PM

Post a Comment

Subscribe to: Post Comments (Atom)