My response is assuming that you are using the old DirectoryServices stuff and not the newer 2.0 DS.Protocols stuff.
With that caveat, most DS .NET code is less than optimal as it relies on ADSI which is in itself less than optimal. Group enumeration is great because it uses multiple queries to get ANYTHING besides the DN of the members. So if you say query a group and you even know that a member is not a user, you have already done the query for the group, and another query for that member. So to enumerate a group of 500 members and display a full name or object type or anything besides a DN, ADSI has already done another query on your behlaf to return the info for each member you have displayed so you would have done 501 queries at that point. If you have to force additional queries beyond that, well that is above and beyond. The only thing that is close to what you are asking for is something MS added to K3 AD reachable only if you are using pure LDAP (not ADSI calls) is called an attribute scoped query. Basically it allows you to do a BASE level query of AD and tell it to return a specific Object to you (i.e. you can't do a subtree search, you already need the DN of the object) but instead of getting members as DNs, you can tell the AD to return to you any of the attributes of each of the members or even to return only specific members (say the users or the groups). You can learn more here http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/p erforming_an_attribute_scoped_query.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/l dap_server_asq_oid.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/a ds_searchpref_enum.asp Note, I just noticed the filter they use in the example of link 1 may not be optimal. It isn't normally but it depends entirely on the implementation in the backend as I don't expect the query is actually sent through the normal process. I tried to find the implementation in the source to verify because track it down. So I will send a note onto the MSDN folks to see if it can be verified. The possibly non-optimal piece is the filter objectclass=user. I don't use .NET, but it looks like there is some chatter on this, see http://msdn.microsoft.com/msdnmag/issues/05/12/DirectoryServices/default.asp x http://winfx.msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref /html/T_System_DirectoryServices_Protocols_AsqRequestControl.asp joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Seet Sent: Saturday, November 26, 2005 8:04 AM To: [email protected] Subject: RE: [ActiveDir] Query out all user members in nested groups I apologize for leaving out crucial information. I am trying to enchance (less-than-optimal) .NET code, so this involves the use of DirectorySearcher and SearchResult classes in the System.DirectoryServices namespace. The current implementation takes the top-level group name and searches for it, then loops through the "member" collection returned (part of the SearchResult.Properties collection), determining which is a User and which is a Group. For those identified as Groups, they are put through their own level of Members search. For each User that is retrieved, yet another search is performed to get their logon name (appears the results of the Member collection shows only Full Name property of Users). So in an example scenario, that can result in 200+ calls for individual User query, taking some 179 seconds. My immediate idea was to find a way to make a single chunky query rather than numerous small queries (similar to SQL query advice), so I wondered if there is an LDAP search pattern that can have itself recursively drill down all groups and return me the Logon names in one fell swoop. If that is not possible, then the next best thing would be to return all Users' Logon names in a Group rather than the Full name. Aaron List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
