Accessing Directory Services in .NET Framework 2.0

Monday Feb 13th 2006 by Mark Strawmyer

The Microsoft .NET Framework 2.0 has made several improvements to the System.DirectoryServices namespace. They expand your ability to interact with your enterprise Active Directory.

Development Environment for this Article

The configuration of the development environment used for this article is a Microsoft Virtual PC running Windows Server 2003. I promoted it to a domain controller for a fictitious domain. All of the examples in this article run against that server instance. For those not familiar with Virtual PC, I highly recommend you investigate it. It is a highly valuable tool for building simulated development environments, among other things.

Searching the Directory

The .NET Framework 2.0 contains several enhancements related to search capabilities. The DirectorySearcher is still the class that provides the relevant functionality for searching directories, but it has expanded capabilities beyond what was available in the 1.x versions.

Finding Deleted Users Sample

Suppose an application uses the directory service for authentication (user ID and password validation), but relies on a separate data store in an application database to determine what the user can do within the application. The ability to determine quickly which users have recently been deleted from the directory service can be useful. When you know an account has been removed from your AD, you can remove it from your application as well. By default, objects deleted within AD are moved into the Deleted Objects container for a period of time. Now, you can search this container, courtesy of the expanded search functionality.

The sample code below executes a search and displays the account name, using the FindAll method of the DirectorySearcher class in combination with specific filter, scope, and Tombstone properties to find all entries in the Active Directory that have recently been deleted. It is important to set the AuthenticationType as AuthenticationTypes.FastBind to prevent it from verifying whether the object actually exists in the directory:

DirectoryEntry entry = new DirectoryEntry(
"LDAP://cn=Deleted Objects,DC=dev,DC=codeguru,DC=com");
entry.AuthenticationType = AuthenticationTypes.FastBind | 

using( DirectorySearcher search = new DirectorySearcher(entry) )
   search.Filter = "isDeleted=TRUE";
   search.SearchScope = SearchScope.OneLevel;
   search.Tombstone = true;

   using (SearchResultCollection results = search.FindAll())
      foreach (SearchResult result in results)
      if (result.Properties.Contains("SAMAccountName"))
            Console.WriteLine("Account name = {0}", 
            result.Properties["SAMAccountName"][0]); }

Virtual List View Sample

The Virtual List View (VLV) is a Windows Server 2003 feature that allows you to execute large searches against a directory service and scroll/page through them efficiently without having to return the full results at once. It retrieves contiguous subsets from the search results rather than grabbing them all at once. You control the search results by attaching a VLV to the DirectorySearcher instance being used to search the directory. You need to set a server side sorting value, otherwise it won't operate properly.

The following sample code illustrates these concepts by first searching for a target user and then grabbing a set of records from that spot onward. Next, it adjusts that to find a result and returns five records prior to the first match and one after (You may need to adjust the Target string to search for users that will match in your directory.):

DirectoryEntry entry =
   new DirectoryEntry("LDAP://");
DirectorySearcher search = new DirectorySearcher(entry,

SortOption sort = new SortOption("SAMAccountName",
search.Sort = sort;

// Find a place where user accounts that start with cs
// Return 5 records from the results spot (results are zero based)
DirectoryVirtualListView virtualList =
   new DirectoryVirtualListView();
virtualList.BeforeCount = 0;
virtualList.AfterCount  = 4;
virtualList.Target      = "cs";

search.VirtualListView = virtualList;
foreach (SearchResult result in search.FindAll())
   Console.WriteLine("Account name = {0}",

Console.WriteLine("Additional Searching");
// Context is still attached so I can adjust the results
// Return 5 records before the match and 1 after
search.VirtualListView.BeforeCount = 5;
search.VirtualListView.AfterCount  = 1;
foreach (SearchResult result in search.FindAll())
   Console.WriteLine("Account name = {0}",

Changing a User Password

One of the most common questions I receive regarding Active Directory is: "How do I change the password for an existing user so that I can allow users to change their Windows passwords from within my application?" The question is misleading because the command to set the password for the first time for a new user is different from the command to change an existing password.

Changing a user's password is fairly straightforward. The first step is to find the specific user account in Active Directory and then execute the ChangePassword action:

   // Use the user account you're changing the password on
   // to validate the user really exists. Specifies the
   // authentication type as secure as I had problems
   // getting it to work otherwise.
   DirectoryEntry entry = new DirectoryEntry(
      "\\testuser", "password",
      AuthenticationTypes.Secure |
      AuthenticationTypes.Sealing |

   DirectorySearcher search = new DirectorySearcher(entry);
   search.Filter = "(SAMAccountName=testuser)";
   SearchResult result = search.FindOne();
   DirectoryEntry user = result.GetDirectoryEntry();
   Object ret = user.Invoke("ChangePassword", new object[] {
      "password", "newpassword" });
catch( Exception exception )
   Console.WriteLine( exception.Message );

Other Namespace Additions

The System.DirectoryServices namespace offers many changes in the 2.0 Framework, including the new System.DirectoryServices.ActiveDirectory and System.DirectoryServices.Protocols. However, the ActiveDirectory namespace name is misleading. The ActiveDirectory namespace is intended for automating management tasks and cannot be used to access data contained within Active Directory. You still use the System.DirectoryServices namespace to access the contents of Active Directory or other directory service. The Protocols namespace allows you to work with the LDAP 3.0 protocol along with the Directory Services Markup Language (DSML) 2.0.

Better Interaction with Your Enterprise AD

Several improvements to the System.DirectoryServices namespace will expand the ability to interact with your enterprise Active Directory. Now, the entire process operates predominantly off managed code and is much smoother and more efficient to use. Other handy additions such as the ActiveDirectory and Protocols namespaces warrant future exploration.

Future Columns

The topic of the next column is yet to be determined. If you have something in particular that you would like to see explained here, e-mail me at

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved