Active Directory Lookup in AX 2012

As you may be aware by now, AX allows one to create users of type “active directory group” which if setup will auto-create users who belong to that group when they try to login. Furthermore users (whether auto-created or manually created) who belong to these groups will inherit the security permissions assigned to these groups.

One challenge however is, to debug this. I.E. Finding out which users are members of specific groups or what groups a specific user belongs to. My previous post was about how to determine ownership via command line. After a bit of reflection I thought this may be better and more useful to have this functionality directly within AX. Using Attached is an XPO with the relevant code (use at your own risk).

Screen Shot 2014-09-08 at 12.37.46 PM


Basically it adds a class to AX as well as a lookup menu item to UserListPage form and the User form.

Please let me know your comments.

Here is a sample job if you don’t want to download the full project. It prints all groups for a user.

static void adGroups(Args _args)
    System.DirectoryServices.AccountManagement.PrincipalContext yourDomain;
    System.DirectoryServices.AccountManagement.UserPrincipal user;
    System.DirectoryServices.AccountManagement.GroupPrincipal p;
    CLRObject groups, enum;
    System.String domain, username1,groupName;
    str groupN;
    Userid userId = curUserId();
    InteropPermission permission;

    UserInfo userInfo;
        permission = new InteropPermission(InteropKind::CLRInterop);

        yourDomain = new System.DirectoryServices.AccountManagement.PrincipalContext(System.DirectoryServices.AccountManagement.ContextType::Domain);

        // find your user
        userInfo = xUserInfo::find(false, userId);
        domain = UserInfo.networkDomain;
        username1 = UserInfo.networkAlias;
        user = System.DirectoryServices.AccountManagement.UserPrincipal::FindByIdentity(yourDomain, username1);

        // if found - grab its groups

        if(user != null)
            groups = user.GetAuthorizationGroups();
            enum = groups.GetEnumerator();

            while (enum.MoveNext())
                p = enum.get_Current();
                groupName = p.get_Name();
                groupN = groupName;

     catch (Exception::CLRError)


7 thoughts on “Active Directory Lookup in AX 2012

  1. Hi,
    Nice Article, this one will be helpful for my task.
    I am trying to create a user relationship for the users automatically. As you know, we cannot have user relationship created at the users of type “Active directory groups”, my idea is to set up user relationship while AX auto-creates user [belong to AD group] to AX when he\she first logins to AX.
    I am not able to find the code block which auto-creates users while user logins for the first time. Do you have an idea on this?

    • Hi Nitin.

      I have also not found this code myself, I believe for security reasons it is not available to us to customise but only in the AX kernel. Why are you not able to make use of the built in functionality where you setup the security on the group and then all users who belong to that group simply inherit those rights?

      • Hi Jonathan,

        Thanks for the reply..
        Yes, The users can inherit the security roles set up at the group level.
        But at group level, we cannot set up the relationships (relationships like Customer, Vendor, Employee.. the button between options and profiles on the users details page).


        • Hi Nitin.

          Remember that a physical user in ax will still be created to which you can setup these relationships. But that user will automatically inherit the permissions of the “group user” which enabled the user creation. I hope that makes a bit more sense.

  2. Hi Jonathan,

    Yes, You are right a physical user gets created in AX when the user tries to login for the first time and this user will inherit the roles.
    However, for the relationship, we will have to set it up manually, I was trying to automate this relationship creating process.


    • Hi Nitin.

      I think I understand your requirement now. We have done this by adding code to the Application.startupPost or into the SysStartupCmd class.

      Whenever a user logs into the system (for the first time or subsequent times) the code checks if relationships exist, if it doesn’t it creates the employee and links them in the relevant companies.

      I hope this helps answer your question

Leave a Reply to Nitin Cancel reply

Your email address will not be published. Required fields are marked *