The System.DirectoryServices.AccountManagement API enables developers to create and manage new and existing principal accounts across multiple directories. Managed directory services applications can take advantage of the System.DirectoryServices.AccountManagement API to simplify management of directory principals. Solutions that previously required complex knowledge of the store or lengthy code, such as finding all groups a user belongs to, can now accomplished in only a few lines of code.
Through the use of strongly typed user, computer, and group classes, the System.DirectoryServices.AccountManagement API provides uniform access to security principals across the following principal stores:
Active Directory Domain Services (AD DS)
Active Director Lightweight Directory Service (AD LDS)
The principal objects in the Account Management API include computer, group and user objects. These objects derive from the base principal class and an authenticable principal class as shown in the following illustration:
The principal objects all contain a principal context object that represents three things. First, the store (MSAM, AD DS, or AD LDS) that holds the principal. Second, the location of the principal in the store. Third, the credentials that are used to access the store.
The Account Management API provides a means for applications to extend the object model to include custom schema object types. The extended types derive from any one of the types provided by the System.DirectoryServices.AccountManagement API as shown in the following object model diagram.
For example, an application connecting to the AD LDS store may want to extend the authenticable principal to include an EnterpriseUser class as shown in the following diagram. Another application connecting to the AD DS store may want to extend the User class to include an InetOrgPerson class. For more information about how to extend the System.DirectoryServices.AccountManagement object model, see the Principal Extensions overview topic.
The Account Management API provides methods that allow for credential validation. The ValidateCredentials method returns a Boolean and enables the user to check the credentials of a user, and in different contexts.
Query By Example
Copyright © 2008 by Microsoft Corporation. All rights reserved.