How get "primaryGroupToken" using C#?

Discussion:

(too old to reply)

Andy

2006-03-23 23:28:02 UTC

I am unable to remove Domain Users group from user membership unless change
User Primary Group first.

SecurityIdentifier DomainUsersSid = new
SecurityIdentifier(WellKnownSidType.AccountDomainUsersSid, DOMAIN_SID);

DirectoryEntry DomainUsersGroup = new
DirectoryEntry(String.Format(@"LDAP://<SID={0}>", DomainUsersSid.Value));

object grouptoken = DomainUsersGroup.Invoke("GetInfoEx", new object[] {
"primaryGroupToken" }, 0);

or

grouptoken = DomainUsersGroup.Properties["primaryGroupToken"]

Always returns NULL even for Domain Users group

Joe Kaplan (MVP - ADSI)

2006-03-24 00:45:48 UTC

Permalink

The primaryGroupToken is just a constructed attribute that returns the RID
of the group. If you already have the SID of the group (and you do in the
code below since you have a SecurityIdentifier object), you have the RID.
It is the last 4 bytes of the SID.

Just call GetBinaryForm to get the binary version of the data, grab the last
4 bytes of the array and use the BitConverter class to turn that into an
Int32.

If you want to do it with LDAP, it should work though. Just do:
DomainUsersGroup.RefreshCache(new string[] {"primaryGroupToken"});
int pgt = (int) DomainUsersGroup.Properties["primaryGroupToken"].Value;

Joe K.

Post by Andy
I am unable to remove Domain Users group from user membership unless change
User Primary Group first.
SecurityIdentifier DomainUsersSid = new
SecurityIdentifier(WellKnownSidType.AccountDomainUsersSid, DOMAIN_SID);
DirectoryEntry DomainUsersGroup = new
object grouptoken = DomainUsersGroup.Invoke("GetInfoEx", new object[] {
"primaryGroupToken" }, 0);
or
grouptoken = DomainUsersGroup.Properties["primaryGroupToken"]
Always returns NULL even for Domain Users group

Andy

2006-03-26 23:08:11 UTC

Permalink

By some reason group.Properties["primaryGroupToken"].Value returns null. But
the code below works

byte[] sid = (byte[])group.Properties["objectSid"].Value;
int grouptoken = BitConverter.ToInt32(sid, 24);
user.Properties["primaryGroupID"].Value = grouptoken;

Post by Joe Kaplan (MVP - ADSI)
The primaryGroupToken is just a constructed attribute that returns the RID
of the group. If you already have the SID of the group (and you do in the
code below since you have a SecurityIdentifier object), you have the RID.
It is the last 4 bytes of the SID.
Just call GetBinaryForm to get the binary version of the data, grab the last
4 bytes of the array and use the BitConverter class to turn that into an
Int32.
DomainUsersGroup.RefreshCache(new string[] {"primaryGroupToken"});
int pgt = (int) DomainUsersGroup.Properties["primaryGroupToken"].Value;
Joe K.

Joe Kaplan (MVP - ADSI)

2006-03-27 04:25:10 UTC

Permalink

Did you do the RefreshCache step before accessing primaryGroupToken? It is
a constructed attribute and isn't loaded into the cache by default. You
must explicitly ask for it.

However, the objectSid trick works fine and gets you the exact same data, so
it really doesn't matter.

Joe K.

Post by Andy
By some reason group.Properties["primaryGroupToken"].Value returns null. But
the code below works
byte[] sid = (byte[])group.Properties["objectSid"].Value;
int grouptoken = BitConverter.ToInt32(sid, 24);
user.Properties["primaryGroupID"].Value = grouptoken;

Post by Andy
I am unable to remove Domain Users group from user membership unless change
User Primary Group first.
SecurityIdentifier DomainUsersSid = new
SecurityIdentifier(WellKnownSidType.AccountDomainUsersSid, DOMAIN_SID);
DirectoryEntry DomainUsersGroup = new
DomainUsersSid.Value));
object grouptoken = DomainUsersGroup.Invoke("GetInfoEx", new object[] {
"primaryGroupToken" }, 0);
or
grouptoken = DomainUsersGroup.Properties["primaryGroupToken"]
Always returns NULL even for Domain Users group