The problem

There is a really convenient method that can be used to retrieve a flat list of all the groups (event nested) given a known UserPrincipal, e.g. the current user, the really amazing thing is that the method saves you from doing a group recursion to retrieve the groups relationships in order to detect that a user belongs to a group A that belongs to a group B.

The above method utilizes, as far as I know, the security tokens attached to a given user principal and then resolves the group names given the group SID.

The problem is that that method can fail with a really strange exception “NoMatchingPrincipalException” (the group cannot be found) that is typically related to 2 different scenarios:

  1. One, or more, of the group has SID History enabled;
  2. In a complex domain topology one of the DC is not available at the moment of the query;

To make a long story short: we simply cannot rely on that method, period.

The solution

IEnumerable<String> GetGroups( String samAccountName )
var userNestedMembership = new List<string>();

var domainConnection = new DirectoryEntry();
domainConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;

var samSearcher = new DirectorySearcher();

samSearcher.SearchRoot = domainConnection;
samSearcher.Filter = "(samAccountName=" + samAccountName + ")";
samSearcher.PropertiesToLoad.Add( "displayName" );

var samResult = samSearcher.FindOne();

if ( samResult != null )
var theUser = samResult.GetDirectoryEntry();
theUser.RefreshCache( new string[] { "tokenGroups" } );

foreach ( byte[] resultBytes in theUser.Properties[ "tokenGroups" ] )
var SID = new SecurityIdentifier( resultBytes, 0 );
var sidSearcher = new DirectorySearcher();

sidSearcher.SearchRoot = domainConnection;
sidSearcher.Filter = "(objectSid=" + SID.Value + ")";
sidSearcher.PropertiesToLoad.Add( "name" );

var sidResult = sidSearcher.FindOne();
if ( sidResult != null )
userNestedMembership.Add( ( string )sidResult.Properties[ "name" ][ 0 ] );

return userNestedMembership;

A bunch of old good directory services related code :-) where the really really really, have I said really?, important piece is the following:

theUser.RefreshCache( new string[] { "tokenGroups" } );

That asks to the underlying system to refresh the cache of the groups security tokens attached to the given user.