excellent stuff… i no longer have access to that particular application because i’m not working at that client anymore, but i’ll definitely use this if i do any future AD work

Yes, you can retrieve all members in a AD group with one LDAP request and suppress request roundtrips to the AD.
I don’t know your application, but my experience is that using the DirectorySearcher class in such situations has some advantages.

1. You can work with disconnected search results
2. By specifying the attributes in which you are interested in, you can limit the amount of data transported between the AD and the application.
3. You can use Attribute scope queries. This might be important for your application.
Example: when your are interested in for example the e-mail addresses of the users in a group (or distribution list), you can use the group as root for the directory search, but specify which objects (and which attributes, in this case mail address) you want to return based on an attribute (in this case ‘member’) of the search root. As such the search root must not be transported to the application, and the results which may be spread around in the AD can be retrieved whithout any navigation.

When accessing AD from .NET, following thing are imho important:
- Choose the correct root object.
- Use disconnected model if possible.
- Be specific about attributes you want to access
- Use the correct scoping (Base, OneLevel or Subtree)
- Avoid sorting
- Use indexed attributes in filters
- Do not treat AD as a classic relational database, it isn’t one. So learn LDAP queries

Example code:

static void Main(string[] args)
{
string[] attribs = new string[]{“distinguishedName”, “sAMAccountName”, “name”, “mail”};
DirectoryEntry users = new DirectoryEntry(“LDAP://S2008:389/CN=Users,DC=lvk,DC=local”,
@”User”, “Password”, AuthenticationTypes.Secure);

DirectorySearcher ds = new DirectorySearcher(users, “(objectClass=group)”,
new string[] { “distinguishedName” ,”member”});
ds.CacheResults = true;

using (SearchResultCollection src = ds.FindAll())
{
Console.WriteLine(“Returning {0}”, src.Count);

foreach (SearchResult sr in src)
{
Console.WriteLine(“Processing group:{0}”, sr.Properties["distinguishedName"][0]);

DirectorySearcher ds2 = new DirectorySearcher(sr.GetDirectoryEntry(),
“(&(objectClass=user)(objectCategory=person))”, attribs);
ds2.SearchScope = SearchScope.Base;
ds2.AttributeScopeQuery = “member”;
ds2.CacheResults = true;

using (SearchResultCollection src2 = ds2.FindAll())
{
foreach (SearchResult sr2 in src2)
{
foreach (string s in attribs)
{
if (sr2.Properties.Contains(s) && sr2.Properties[s].Count > 0)
{
Console.WriteLine(“{0}: {1}”, s, sr2.Properties[s][0]);
}
}
Console.WriteLine();
}
}
Console.WriteLine(“——————————————————————–”);
}
}
Console.ReadLine();
}

If you use a sniffer, you should see that all the members in a group (and the requested attributes) are retrieved with one LDAP query.

I’d need to look at the GroupPrincipal.Dispose method in reflector to be sure, but i’d rather dispose it and get rid of the reference entirely once i no longer need it, especially if we’re talking about a loop that still takes a few minutes.