Active Directory group name uniqueness requirement (query from C# client)

0
votes

Our company's C# product uses System.DirectoryServices.AccountManagement to query Active Directory for users and groups. We use the following method to get the principal:

...
PrincipalContext principalContext = new PrincipalContext(ContextType.Domain);
return principalContext;
...

We get Active Directory groups using (e.g. groupName = "Devs"):

...
GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(this.principalContext, groupName);
...

Everything works fine with this setup when we run it on a simple, one domain Active Directory database.

My question is, what will happen when we run this code on a big forest with more than one "Devs" group? Can there be more than one "Devs" security group in a forest? If so, how will it resolve "Devs"? Do I have to switch to using the method: 

public static GroupPrincipal FindByIdentity(
    PrincipalContext context,
    IdentityType identityType,
    string identityValue
)

I cannot simulate this currently (lack of resources and lack of time) and I have been reading a lot about this. I know there are local, global and universal security groups, spread among domain trees. But domain trees in a forest have some sort of trust among the roots, so they are not completely ignorant of each other. What is the worst case of having "Devs" duplicates in the forest and how could the application handle it?

1
c#active-directoryactive-directory-group
By "Devs" duplicates I mean that there are groups named "Devs" but they belong to different domains, etc. They probably need to have different distinguished names.Anda

1 Answers

1
votes

It's pretty common task to search through domain hierarchy. With AccountManagement classes you can do the following:

// Connect to global catalog of the forest
var context = new PrincipalContext(ContextType.Domain, "contoso.com:3268", "DC=contoso,DC=com");

// Build a filter principal by name and context
var groupFilter = new GroupPrincipal(context) {Name = "Devs"};

// Build a searcher with a filter applied
var searcher = new PrincipalSearcher(groupFilter);

// This should return all groups in all subdomains matching specified name
var groups = searcher.FindAll().ToList();

foreach (var group in groups)
{
    Console.WriteLine(group.DistinguishedName);
}

You will not have any duplicates cause there can't be more than one group with this name ("Devs") in domain. In AccountManagement terms you create GroupPrincipal object with context and name parameters and can't have more than one in context with the same name.

If you connect to the domain controller (new PrincipalContext(ContextType.Domain)) then FindByIdentity will search this single domain. If you connect to global catalog of the forest (like in my example, port 3268) then FindByIdentity will search entire forest. The DistinguishedName property will show which domain a group belongs to.

As to cross-forest access there you need to connect to global catalog in every forest separately, because there's no user/group data replication between forests global catalogs.