This documentation is archived and is not being maintained.

ActiveDirectoryMembershipUser Class

Exposes and updates membership user information stored in an Active Directory data store.

Namespace:  System.Web.Security
Assembly:  System.Web (in System.Web.dll)

[AspNetHostingPermissionAttribute(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
[AspNetHostingPermissionAttribute(SecurityAction.InheritanceDemand, Level = AspNetHostingPermissionLevel.Minimal)]
public class ActiveDirectoryMembershipUser : MembershipUser

The ActiveDirectoryMembershipUser object is used to represent a single membership user in the Active Directory membership data store. It exposes information about the membership user such as the e-mail address, and provides functionality for the membership user such as the ability to change or reset his or her password.

An ActiveDirectoryMembershipUser object is returned by the application's membership provider whenever the application is configured to use an Active Directory data store. In an application that can be configured to use different data stores, or in an application that uses multiple data stores, you can refer to the base class, MembershipUser. Because the ActiveDirectoryMembershipUser object does not implement the LastActivityDate and LastLoginDate properties, you must be prepared to handle the NotSupportedException that is thrown when these members are accessed on an ActiveDirectoryMembershipUser object.

The ActiveDirectoryMembershipUser class implements internal optimizations used by the ActiveDirectoryMembershipProvider class to minimize the number of attribute updates that occur when calling the UpdateUser method. It also serializes the SecurityIdentifier representation (available in the ProviderUserKey property) so that an ActiveDirectoryMembershipUser object can be serialized and deserialized without throwing exceptions.

A ActiveDirectoryMembershipUser object is returned by the GetUser and CreateUser methods or as part of a MembershipUserCollection returned by the GetAllUsers, FindUsersByName, and FindUsersByEmail methods.

An ActiveDirectoryMembershipUser object is required by the UpdateUser method when you want to update the information for an existing membership user.

ActiveDirectoryMembershipUser properties are mapped to Active Directory attributes. The following table lists the ActiveDirectoryMembershipUser properties and their default attribute mappings.


Default directory attribute

Can be mapped?






Yes, but must be either userPrincipalName or sAMAccountName









Yes, but must be a single-valued attribute of type Unicode String.



Not supported by ActiveDirectoryMembershipProvider.



Not supported by ActiveDirectoryMembershipProvider.





none, but must be mapped to an attribute if using question-and-answer security for password reset or retrieval.

Yes, but must be a single-valued attribute of type Unicode String.


User-Account-Control (AD)

mDS-UserAccountDisabled (ADAM)



computed from lockoutTime and the AD lockout duration (AD on Windows 2000)

msDS-User-Account-Control-Computed (AD on Windows Server 2003)

msDS-User-Account-Control-Computed (ADAM)



If locked out due to too many bad password attempts, the lockout time attribute is returned.

If locked out due to too many bad password answer attempts, the value stored in the attribute defined by attributeMapFailedPasswordAnswerLockoutTime is returned.

If locked out due to both a bad password and too many bad password attempts, the most recent date/time value is returned.

If the account is not locked out, return 1/1/1753 for SQL compatibility.


The following code example demonstrates using properties on the ActiveDirectoryMembershipUser object on a Web page that may return user information from multiple membership data stores. Because the ActiveDirectoryMembershipUser object that underlies the MembershipUser object returned by the membership provider does not implement the LastActivityDate and LastLoginDate properties, the code first checks the type of the user object returned from the membership provider before displaying the contents of those properties.

<%@ Page Language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">

<script runat="server">

  protected void Page_Load(object sender, EventArgs e)
    MembershipUser user =

    userName.Text = user.UserName;
    emailAddress.Text = user.Email;

    if (user is ActiveDirectoryMembershipUser)
      lastLoginDate.Text = "Not available";
      lastActivityDate.Text = "Not available";
      lastLoginDate.Text = user.LastLoginDate.ToShortDateString();
      lastActivityDate.Text = user.LastActivityDate.ToShortDateString();

    System.Security.Principal.SecurityIdentifier sidValue =

    sid.Text = sidValue.ToString();

<html xmlns="">
<head runat="server">
  <title>User information</title>
  <form id="form1" runat="server">
            User name:</td>
            <asp:Literal ID="userName" runat="server" /></td>
            E-mail Address:</td>
            <asp:Literal ID="emailAddress" runat="server" /></td>
            Last Login Date:</td>
            <asp:Literal ID="lastLoginDate" runat="server" /></td>
            Last Activity Date:</td>
            <asp:Literal ID="lastActivityDate" runat="server" /></td>
            Security Identifier SID:</td>
            <asp:Literal ID="sid" runat="server" /></td>


Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0, 2.0