Share via

About System.DirectoryServices.AccountManagement

  • Article

The System.DirectoryServices.AccountManagement API enables developers to create and manage new and existing principal accounts across multiple directories. Managed directory services applications can take advantage of the System.DirectoryServices.AccountManagement API to simplify management of directory principals. Solutions that previously required complex knowledge of the store or lengthy code, such as finding all groups a user belongs to, can now accomplished in only a few lines of code.

Through the use of strongly typed user, computer, and group classes, the System.DirectoryServices.AccountManagement API provides uniform access to security principals across the following principal stores:

  • Active Directory Domain Services (AD DS)
  • Active Director Lightweight Directory Service (AD LDS)
  • Machine SAM

Object Model

The principal objects in the Account Management API include computer, group and user objects. These objects derive from the base principal class and an authenticable principal class as shown in the following illustration:

Extended types hierarchy

The principal objects all contain a principal context object that represents three things. First, the store (MSAM, AD DS, or AD LDS) that holds the principal. Second, the location of the principal in the store. Third, the credentials that are used to access the store.

Extended types

The Account Management API provides a means for applications to extend the object model to include custom schema object types. The extended types derive from any one of the types provided by the System.DirectoryServices.AccountManagement API as shown in the following object model diagram.

Object model hierarchy

For example, an application connecting to the AD LDS store may want to extend the authenticable principal to include an EnterpriseUser class as shown in the following diagram. Another application connecting to the AD DS store may want to extend the User class to include an InetOrgPerson class. For more information about how to extend the System.DirectoryServices.AccountManagement object model, see the Principal Extensions overview topic.

Credential Validation

The Account Management API provides methods that allow for credential validation. The ValidateCredentials method returns a Boolean and enables the user to check the credentials of a user, and in different contexts.

Query By Example

The Query by Example method enables programmers to perform very complex searches that would be difficult in other APIs. Using the example objects, programmers just set the attributes that they want to filter on, and perform a search by calling either the FindOne or the FindAll method.

See Also

Reference

System.DirectoryServices.AccountManagement

Concepts

Using System.DirectoryServices.AccountManagement

Send comments about this topic to Microsoft.

Copyright © 2008 by Microsoft Corporation. All rights reserved.