.NET Active Directory Wrapper    
Access Active Directory From Your C# or VB .Net Code

Understanding System.DirectoryServices in the Active Directory API Stack

Windows comes with in built APIs that are used to access Active Directory in unmanaged code. The .NET Framework APIs such as System.DirectoryServices is built on top of those native APIs. In this article we will dicuss those native APIs and explain how the System.Directory services namespace and classes fit into the big picture of Active Directory API architecture.

The followin is a list of the native APIs in windows used to interface with Active Directory:

  1. Native LDAP
  2. The Net* APIs
  3. The Ds* Active Directory APIs
  4. ADSI (Active Directory Service Interface)
  5. System.DirectoryServices

System.DirectoryServices API Stack


Native LDAP

The Native LDAP API is the lowest-level implementation of all the APIs in the stack. The magic behind this API is wldap32.dll, a DLL that is defined in the RFC. This API is designed to be used using C or C++ code and not through VBScript, JScript or Visual Basic. The communication between the client application and the native API takes place over the TCP/IP protocol.

The Net* APIs

The Net* APIs are found in the Windows Platform SDK, a free development kit that provides extended programming access to Windows XP, Windows 2003 and Windows Vista resources. One of the key resources that it provides access to is the Windows Security Account Manager (SAM) infrastructure, which was originally designed to work with NT4 domain controllers. Considering there legacy status, they have only limited access to the modern day Active Directory.

The Ds* Active Directory APIs

The Ds* API are newer than the Net* APIs and were designed to work with Windows 2000 Active Directory. The APIs are also found in the Windows Platform SDK. These API are also designed to be accessed using C and C++. They communicate with Active Directory via the RPC infrastructure.

ADSI (Active Directory Service Interface)

ADSI is an API included with all versions of Windows that is accessed via a COM-based interface. The ADSI API is a generic set of APIs that could be implemented into an ADSI provider that can target any specific directory. Two of the more popular implementations of ADSI are LDAP ADSI provider and WinNT ADSI provider, which allows access to SAM infrastructures.

It is important to mention that the ADSI provider is different from the rest of the APIs in the stack as it is a higher level API provider that can be used by VBScript, JScript and Visual Basic and C++, making it much easier to use. It's ease of use comes at the price functionality of performance. But, it is often the case that the network is the bottleneck of the speed. Nevertheless, the ADSI API is still considered an excellent API interface that is still efficient and broad in functionality.


The System.DirectoryServices namespace found in the .Net Framework (System.DirectoryServices.dll), provides the core classes needed by .Net developers to access and interact with objects in an LDAP directory. Note that the classes in this namespace are based on ADSI providers, most importantly the LDAP provider in our case.

System.DirectoryServices lives in the .Net Framework 1.1 - 4.5. In .Net Framework the functionalities and features offered by the namespace were improved and expanded. Backward compatibility is supported of v1.1 - 4.5 environment.