Initial disclaimer: I am not a developer. I don’t even play one on TV.
However, now that that’s out of the way, since I am “the AD guy” who’s usually around in MS IT, and am more often than not willing to answer questions (whether I know the answer or not), I tend to get a lot of questions around programs interacting with AD. One question, which I’ve been asked at least 3 times (in various forms) in the past few months, goes something like this:
“When a user comes to my application, query the member attribute of the security group that we want, and then loop through it to see if the user is a member. This worked great until we expanded our pilot, and there are now 7,000 members of the group. Is there a more performant way of doing this? We have tried using isMemberOf, but that doesn’t work so well either”
Now, I figure there are probably better ways built into the OS to do this to begin with, but then again, maybe not… At least not in the “edge case” territory, which is where I often seem to live. The reply that I’ve started to give, goes something like this:
If all you really care about, is whether the user is a member of a specific group, then that’s what you should ask AD.
More specifically, you should change your code so that it gets the distinguished name of the user, and then query AD for “all security groups, with the name <your group here>, that contain user <userDN>. To see if BPuhl is a member of the FooBar security group, it would look something like this:
First, get the DN for BPuhl: cn=bpuhl,ou=users,dc=ms,dc=com
Second, check to see if there is a group that he’s a member of:
Depending on how they “know” the name of their group, either way the performance is the same
With this query though, If you get an object back from AD, then the object will be your security group, and you will implicitly know that the user was a member. If the user isn’t a member, then AD will return back nothing, because there “are no security groups with a name of foobar that contain user bpuhl”
I’m sure there are better ways of doing this, but I get the impression that they become implementation specific, etc… and the folks who are usually asking the question are IT pro’s instead of developers, and tend to be fairly light, even on .NET stuff.
If anyone else has a better answer to this question though, I’d love to hear it!