Coding for Active Directory: Programmatically Get or Set Obscure Attribute Data in C#

If you are an organization of any size, chances are you have an Active Directory instance sitting around, and maybe some level of additional investment in Microsoft products beyond Windows on client machines and a couple servers.  And the more investment you have, the more value you will get from having relevant data in your Active Directory.  You may even have some developers on staff that write applications in C# or VB .NET.  Chances are, though, your developers won't understand or even want to understand Active Directory.

They may, however, be able and willing to code to a few random source code examples that float around on the web, but most examples are not very feature complete.  So it requires developers digging into the musty underbelly layers of Active Directory to learn how to get what they need.  Few will dig.

You could purchase an API, but the licenses may be expensive, and you may only want to read or set a couple of attributes on a user or group object that nobody else seems to have documented how to do well enough to satisfy your developers.

Or you could just send your developers to the new Securology GitHub repository to pull down a fully-functional, open source, non-restrictively licensed API to include in their projects to get up and going.

Maybe you just dealt with a large scale AD migration and you need to peel back the layers and extract user or group SIDs (Security Identifiers) or validate that SIDs from previous domains on imported objects are properly stored in the SID History?

Maybe you have a basic interface with your HR system, but don't want to shell out tons of cash to purchase a metadirectory tool like Identity Lifecycle Manager to move HR data like manager/reporting relationships around, but could really benefit from having that data in your Exchange, SharePoint or other application environments.

Maybe you need to set the user's employee number from your HR system on each AD user to identify the authoritative data source to satisfy an Active Directory Audit.

Maybe you just want to read or write the AD user's address, telephone, or even IP Phone number.

Maybe you have a mixed environment that also contains Unix servers and you need to set Unix attributes on the IT Unix Admin user accounts for a Unix SSO to AD product that you're using.

Maybe you'd like to programmatically setup Microsoft Exchange or Lync (Office Communicator) attributes?

Maybe you'd like a safer way to programmatically move or delete Active Directory objects?

Maybe you'd like an easier way to programmatically add or remove a user from an AD group?  Or maybe check if they already are in that group?

Maybe you'd like to populate your AD with Contact objects for business partners who don't need user accounts in your domain or forest, but so that they'll still show up in the Global Address List (GAL)?

Maybe you need a way to programmatically create an Organizational Unit (OU)?

Maybe you'd like to toggle an AD group from "Security" to "Distribution" and back again?  Or "domain local" to "universal"?  Or dump all of its members?  Or check if the AD group has no members?  Or set the "owner" of the group for audit/management purposes?

Maybe you'd like to prune back old computer objects?  Or build a report to show what Operating Systems are in your directory?  Or safely move or delete computer objects?

Maybe you'd like a way to expose the True Last Logon time of a user account without manually checking each Domain Controller and comparing times?  Or maybe you'd like a nice multi-threaded (and fast!) way of checking all Domain Controllers simultaneously?

If any of those are even remotely interesting to you, check out our extended version of Microsoft's System.DirectoryServices.AccountManagement namespace that we provide on GitHub.