How to read "msds-resultantpso" attribute value of AD user using C#

Question

0.00/5 (No votes)

See more:

Hi,

I am trying to access "msDS-ResultantPSO" attribute value of AD user using C#,I applied the Password Policy on a user, and its showing the value in "msDS-ResultantPSO" attribute.Now, I am trying to get this value using C# in the same way to get Normal attributes of AD user such as "FirstName, LastName,Email...".I added ResulantPSO attribute along with other normal attributes to load.My code bringing all normal attributes values except "msDS-ResultantPSO".

Please can anyone help me in this regard.

What I have tried:

I am trying to get this value using C# in the same way to get Normal attributes of AD user such as "FirstName, LastName,Email...".I added ResulantPSO attribute along with other normal attributes to load.My code bringing all normal attributes values except "msDS-ResultantPSO".

Posted 3-Jul-16 19:37pm

Member 10714689

Updated 25-Jun-22 13:07pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

KevinAG · Answer 1 · 2022-06-25T13:07:00

Create a DirectoryEntry to the user's path. You can authenticate as anyone who has access to that path, like a service account, or the user's own credentials depending on your needs. The username format and flags specified in the code below ensure Kerberos authentication will be used, but again, that is up to your specific needs.

Then, the key is to simply tell the DirectoryEntry.Properties beforehand that you want the msDS-ResultantPSO property by using the .RefreshCach() method.

C#

private void FgppTest()
{
    var path = "LDAP://a-dc.dev.contoso.local/CN=Fine Grained Password Policy User,CN=Users,DC=dev,DC=contoso,DC=local";
    var username = "fgppUser@dev.contoso.local";
    var password = "the password";
    var flags = AuthenticationTypes.Secure | AuthenticationTypes.Signing | AuthenticationTypes.Sealing | AuthenticationTypes.ServerBind;

    using (var de = new DirectoryEntry(path, username, password, flags))
    {
        // The msDS-ResultantPSO is what's called a "constructed" attribute. It
        // doesn't physically exist in the directory on disk. So we must
        // explicitly request it.
        de.RefreshCache(new string[] { "msDS-ResultantPSO" });

        // Note, if the user doesn't have a FGPP set, this would throw an index
        // out of range error. If you need this code to be more general, you can
        // check the property count beforehand.
        var fgpp = de.Properties["msDS-ResultantPSO"][0].ToString();
        
        System.Diagnostics.Debug.WriteLine(fgpp);
    }
}