Thursday, December 23, 2010

How to read in Active Directory

Dynamics Ax relies on Active Directory for user authentication. And thanx to CLR Interop, you too can use Active Directory and all it's objects and properties from within Ax. You can use AD for what it is designed for: a central storage location for application data.

But how does one get to read information from the AD? In following code snippet, I'll show you how to collect a list of all users from a specific domain, with some basic information about those users.
For this, we'll use the System.DirectoryServices namespace, an easy way of getting access to Active Directory from managed code.

In order for your code to work, don't forget to edit the networkDomain variable!

static void ReadFromAD(Args _args)
System.DirectoryServices.DirectorySearcher DirectorySearcher;
System.DirectoryServices.SearchScope SearchScope;
System.DirectoryServices.DirectoryEntry DirectoryEntry;

System.DirectoryServices.SearchResultCollection SearchResultCollection;
System.DirectoryServices.SearchResult SearchResult;

System.DirectoryServices.PropertyCollection PropertyCollection;
System.DirectoryServices.PropertyValueCollection PropertyValueCollection;

str networkDomain="";
str prefix = 'LDAP://';

int totalCount;
int counter;

str mysamaccountname;
str myusername;

DirectoryEntry = new System.DirectoryServices.DirectoryEntry(prefix + networkDomain);
SearchScope = CLRInterop::parseClrEnum('System.DirectoryServices.SearchScope', 'Subtree');

DirectorySearcher = new System.DirectoryServices.DirectorySearcher(DirectoryEntry);

SearchResultCollection = DirectorySearcher.FindAll();

totalCount = SearchResultCollection.get_Count();
for (counter=0; counter < totalcount; counter++)
SearchResult = SearchResultCollection.get_Item(counter);
DirectoryEntry = SearchResult.GetDirectoryEntry();

if (DirectoryEntry)
PropertyCollection = DirectoryEntry.get_Properties();

if (PropertyCollection)
PropertyValueCollection = PropertyCollection.get_Item('samaccountname');

PropertyValueCollection = PropertyCollection.get_Item('name');

info(strfmt('%1 - %2',mysamaccountname,myusername));

catch (Exception::CLRError)
error("Error reading AD");



  1. What are the security dependencies for this code?

  2. Hi there,

    Thanx for your question.
    I hope this article from the Microsoft site answers your question, if not please elaborate:

    There is no requirement for the Microsoft Dynamics AX administrator to be a Windows domain administrator to import users from Active Directory.
    When a domain administrator in Active Directory is logged in to Microsoft Dynamics AX as a Microsoft Dynamics AX administrator and tries to import Active Directory users, the administrator can see all users in Active Directory and can import them into Microsoft Dynamics AX successfully.
    If a Microsoft Dynamics AX administrator who is not a domain administrator in Active Directory tries to import Active Directory users, only a subset of the users in Active Directory will appear. This occurs because of security functionality in the Active Directory Group Policy Objects (GPO).
    To allow Microsoft Dynamics AX administrators rights to Active Directory, you must grant Authenticated users security group membership to the Microsoft Dynamics AX administrators. They can then see the complete list of Active Directory users during import.

  3. This comment has been removed by the author.

  4. This comment has been removed by the author.

  5. This comment has been removed by the author.