# VBForums CodeBank > CodeBank - Visual Basic .NET >  Get all members of an Active Directory group or local group

## chris128

You can use this to find a list of all of the members of any group in AD. You will need to add a reference to *System.DirectoryServices* first though.

vb.net Code:
'Change the OU path and group name to suit your environmentDim GroupDE As New DirectoryEntry("LDAP://CN=YourGroupName,OU=YourGroupsOU,DC=yourdomainname,DC=com") Dim Members As Object = GroupDE.Invoke("Members", Nothing) '<<< Get membersFor Each Member As Object In CType(Members, IEnumerable)  '<<< loop through members  Dim CurrentMember As New DirectoryEntry(Member) '<<< Get directoryentry for user  MessageBox.Show(CurrentMember.Name.Remove(0, 3))  '<<< Show each user's name in a messageboxNext  'NOTE: You should also dispose of each DirectoryEntry that you use, either by using the Dispose method or by using a "Using" statement. I haven't included this in my example above just to keep it short and to the point.

As you can see in my example, I am just displaying all of the members names in a messagebox but if you want to get different attributes instead of just the name then remove that line and use the DirectoryEntry object for each member to get whatever attributes you want  :Smilie:  

Note that you can also get group members by using the "members" attribute of a group (e.g cast *GroupDE.Properties("members").Value* to an array of strings and each string will be the full LDAP path to each member so you can then bind a new DirectoryEntry to that path) but I believe there are some slight differences in the way that this works when compared to just invoking the Members method (like I do in the code example above).

Hope it helps someone out

Chris

----------


## chris128

Just to add to this, you can use a similar technique for getting group members from a local computer. Just use the WinNT provider instead of the LDAP provider.

Here is an example that gets the users of the local Administrators group from a specified computer:


vb.net Code:
Dim MachineName As String = "Some_PC_Name" '<<< Put the PC name or IP here that you want to connect to
Dim Admins As New DirectoryEntry("WinNT://" & MachineName & "/Administrators") 'Connect to machine
                
Dim Members As Object = Admins.Invoke("Members", Nothing) 'Get members
For Each Member As Object In CType(Members, IEnumerable)  'loop through members
          Dim CurrentMember As New DirectoryEntry(Member) 'Get directoryentry for user
          MessageBox.Show(CurrentMember.Name) 'Show the user's name in a messagebox
Next

----------


## BertMan

Excellent post. What if I wanted to enumerate all users on a local computer, and not just ones from a specific group?

----------


## BertMan

> Excellent post. What if I wanted to enumerate all users on a local computer, and not just ones from a specific group?


Sorry, meant to specify using the WinNT provider....

----------


## chris128

Already thought of that  :Smilie:  http://www.vbforums.com/showthread.php?t=590129

----------


## BertMan

Thanks!! 

Can you explain to me or point me to some documentation that explains where the WinNT provider is pulling this info? Also, I am going to need to do a lot of queries to local accounts, and if there is something out there that can list all the different properties and methods that would be great. For example, the next thing I need to do is find out if a local account is disabled, and disable it if need be. Where do I find out what properties are availible to the user object?

----------


## BertMan

Sorry, just realized that I am in the code bank section. Mods, feel free to delete my posts and I will post in the correct location.

----------


## chris128

> Thanks!! 
> 
> Can you explain to me or point me to some documentation that explains where the WinNT provider is pulling this info? Also, I am going to need to do a lot of queries to local accounts, and if there is something out there that can list all the different properties and methods that would be great. For example, the next thing I need to do is find out if a local account is disabled, and disable it if need be. Where do I find out what properties are availible to the user object?


I've no idea how exactly the WinNT provider gets the information I'm afraid but here is a reference of all the properties that you should be able to get from a user account you retrieved with it: http://msdn.microsoft.com/en-us/libr...(v=VS.85).aspx and there is also this article that mentions some properties which are not available when using the WinNT provider: http://msdn.microsoft.com/en-us/libr...(v=VS.85).aspx

----------


## DanLen

Hi Chris,
very great code for the group members in the active directory, but I habe a little problem:

I must use the result of the Listbox to query another database.
If I select a item in the List box i can´t use it for the other query.
I tested to show me the selected item in a textbox.text, but it doesn´t work.

I don´t find the bug in the code.

Can you help me, please?

best regards
Daniel

----------


## chris128

> Hi Chris,
> very great code for the group members in the active directory, but I habe a little problem:
> 
> I must use the result of the Listbox to query another database.
> If I select a item in the List box i can´t use it for the other query.
> I tested to show me the selected item in a textbox.text, but it doesn´t work.
> 
> I don´t find the bug in the code.
> 
> ...


That sounds like nothing to do with this code, just general coding advice, so post it in the VB.NET forum  :Wink:

----------


## tonyflora6

Hi Chris

Great post!

I have 2 questions.

1. Is it possible to list the domains of the users?....Domain\useraccount
MachineName\Administrator.
2. Is it possible to connect to the WinNT provider with administrative credentials?

Thanks

----------


## tonyflora63

> Just to add to this, you can use a similar technique for getting group members from a local computer. Just use the WinNT provider instead of the LDAP provider.
> 
> Here is an example that gets the users of the local Administrators group from a specified computer:
> 
> 
> vb.net Code:
> Dim MachineName As String = "Some_PC_Name" '<<< Put the PC name or IP here that you want to connect to
> Dim Admins As New DirectoryEntry("WinNT://" & MachineName & "/Administrators") 'Connect to machine
>                 
> ...


Hi Chris excellent post.

How can you authenticate with an admin account when using the winNT provider to get the local admin group members?

Thanks

----------


## hellvis

Hi from Bavaria,

sorry for reviving this thread...

How should this code be modified to get displayed the "display name" oder "description" or sth else instead of the Username ?
Writing a little application for an normal looser user to query ldap to check who of his co-workers are in certain AD groups.
Usernames are not descritptiv in our environment  :Frown: 

thanks !

----------


## chris128

> Hi from Bavaria,
> 
> sorry for reviving this thread...
> 
> How should this code be modified to get displayed the "display name" oder "description" or sth else instead of the Username ?
> Writing a little application for an normal looser user to query ldap to check who of his co-workers are in certain AD groups.
> Usernames are not descritptiv in our environment 
> 
> thanks !


Instead of getting the Name property of the DirectoryEntry, just use the Properties collection and specify the LDAP name of the attribute you want to get. So in your case that would be "displayName" or "description". So for example:



```
For Each Member As Object In CType(Members, IEnumerable)  '<<< loop through members

Dim CurrentMember As New DirectoryEntry(Member) '<<< Get directoryentry for user

ListBox1.Items.Add(CurrentMember.Properties("displayName").Value)  '<<< Add user's display name to listbox

Next
```

Something like that

----------


## hellvis

Hmpf so easy, thanks a lot !

Ha, just recognized you are THIS Chris, world is so small!
I am still using your tool NTFS Permissions Reporter and the free version of AD Photo Edit.
Greets, Simon

----------


## chris128

> Hmpf so easy, thanks a lot !
> 
> Ha, just recognized you are THIS Chris, world is so small!
> I am still using your tool NTFS Permissions Reporter and the free version of AD Photo Edit.
> Greets, Simon


haha yes it is a small world  :Smilie:  Glad you're finding my tools useful and hope the .NET code helps you out as well

Also, I've just updated the original post in this thread to clean up the code example and add some additional notes and explanations.

----------


## hellvis

One more question...general coding but relating to this topic. Read through hundreds of threads but still to stupid.

I list all members of a given AD group in a CheckedListBox.

Checked items shall be added to another AD Group "GroupA" , my code is like this :
Refering to M$ http://msdn.microsoft.com/en-us/libr...=vs.80%29.aspx



```
Private Sub Button8_Click_1(sender As System.Object, e As System.EventArgs) Handles Button8.Click
       
        Dim group As New DirectoryEntry("LDAP://CN=GroupA,OU=Groups,DC=XXX,DC=de")
  
        group.Properties("member").Add(CheckedListBox1.CheckedItems)
      
        group.CommitChanges()
    End Sub
```


In some thread i read to replace 

group.Properties("member").Add(CheckedListBox1.CheckedItems)
by
group.Invoke("Add", New Object() {CheckedListBox1.Items})


Well, both no working.
VS is linking me to M$ http://msdn.microsoft.com/query/dev1...ng-VB)&rd=true


I am sure you'll be laughing, but you can help me :-)

Thx, Simon

----------


## chris128

Well it depends what you've got in your listbox items. If I remember rightly the string you need to pass in to the Add method is the distinguished name (aka LDAP path) of the member you want to add (e.g CN=User1,OU=blah,DC=domain,DC=de). I don't think you can pass in multiple members at once either, so that might be why your code is failing (because you're passing in the CheckedItems property or Items property, and that is a list/array of items rather than a single item). So you would need to do a loop through the checked items like so:



```
For Each MemberPath As String In CheckedListBox1.CheckedItems
   group.Invoke("Add", New Object() {MemberPath})
Next
group.commitchanges
```

Sorry if that doesn't work exactly, it is just off the top of my head. Hopefully points you in the right direction though

----------


## hellvis

Hi Chris,

Yes, thanks for pointing me!
Solved it like this:



```

  Dim group As New DirectoryEntry("LDAP://CN=Groupname,OU=XXX-Groups,DC=XXX,DC=de")

            For Each MemberPath As DirectoryEntry In CheckedListBox1.CheckedItems

                Dim User As String

                User = MemberPath.Name
                
                group.Properties("member").Add(User & ",OU=XXX-Users,DC=XXX,DC=de")

            Next

            group.CommitChanges()
```



Thanks ! Simon

----------


## ngage

Sorry to revive this one again, but I am using your code to get the membership of the admins group on a server.  There are AD and local groups nested in the group membership.  Is there a way to determine if a group is local vs an AD group?

----------


## gtarnold

> Sorry to revive this one again, but I am using your code to get the membership of the admins group on a server.  There are AD and local groups nested in the group membership.  Is there a way to determine if a group is local vs an AD group?


Parse the ADsPath to identify local vs AD group (ref: https://blogs.technet.microsoft.com/...-domain-users/)

----------

