GroupPrincipal.GetMembers fails when group (or child group if recursive) contains ForeignSecurityPrincipal

Question

This is not so much a question as information for anyone experiencing the same problem.

The following error occurs:

System.Directory         


        

Answer 1

The accountmanagement library has many saddening defects, this is just another of the many...

One thing you can do to make things slightly faster would be to adjust your LDAP query so that it checks both group membership and object type at the same time as part of the query instead of in the loop. Honestly I doubt it will make much difference though.

Most of the inspiration for the query came from How to write LDAP query to test if user is member of a group?.

Query: (&(!objectClass=foreignSecurityPrincipal)(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))

Note: This is an untested query...

IF there was a way to run an LDAP query in AccountManagement (another gripe of mine) then this would be the end of your troubles as you could run the query and let AccountManagement take it from there, but this option does not exist...

Based on personal experience I don't see any other options if you stick with AccountManagement. What you could do is dump AccountManagement and use just DirectoryServices. Under the hood all AccountManagement does is wrap DirectoryEntry objects anyways, you could write a few helper classes to do similar things.