Simple code snippets to get AD user information
I wrote a small AD snippet just the other day, to check which AD groups a specific AD user was member of. I needed to check if a user was member of a specific AD group, to enable or disable some “super user” functions in the system management application.
Note that it uses web.wintypes.adstypes which may only be available in XE5 and upwards?
#ActiveDirectory #XE7 http://pastebin.com/EYwHUerR
Yup, posted it there as well, but made a separate post to make it easier to reshare later – if so is needed.
BTW: AD calls are s..l..o..w.. !
What about nested groups? Groups from trusted domains?
I had no need for that, so I didn’t look into it.
Alex Egorov I’d suggest getting user membership by using LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941). It’s more powerful, returns nested groups and also the search is done on the DCs (i.e. less network traffic)
http://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx
Petar Georgiev Yes, I know about this and use this, but sometimes this is very slow
Alex Egorov yes, it depends of the number of groups. But all self-made nested group search solutions won’t be faster.
currently I try to use ‘tokenGroups’, have such code:
function GetObject(const Name: string): IDispatch;
var
BindCtx: IBindCtx;
Moniker: IMoniker;
Eaten: Integer;
Dispatch: IDispatch;
begin
Result := nil;
BindCtx := nil;
if CreateBindCtx(0, BindCtx) = S_OK then begin
Moniker := nil;
if MkParseDisplayName(BindCtx, PWideChar(WideString(Name)), Eaten, Moniker) = S_OK then begin
Dispatch := nil;
if Moniker.BindToObject(BindCtx, nil, IADs, Dispatch) = S_OK then
Result := Dispatch;
end;
end;
end;
var
ADs: IADs;
Groups: array of OleVariant;
begin
ADs := GetObject(‘LDAP://’ + sADUserName) as IADs;
SetLength(Groups, 1);
Groups[0] := ‘tokenGroups’;
ADs.GetInfoEx(Groups, 0);
Groups := ADs.Get(Groups[0]);
now I have in Groups variable: array of array of bytes, this is SIDs in RAW bytes format,
how to contert this array’s of bytes to SidStr or PSid for using with LookupAccountSid?
Alex Egorov http://stackoverflow.com/a/13935995/1022219
BTW, TokenGroups expects a Global Catalog in a good shape.
Petar Georgiev Thank you very much!