The ability to query Active Directory for changes within multi value attributes was introduced with Windows Server 2003. Before that all the values for a multi-value attribute were returned, even if only one row out of thousands had been modified.

My scenario was the ability to see which objects had been added or removed from the membership of a group, in this case very large groups containing thousands of members. Using System.DirectoryServices.Protocols (S.DS.P) we can achieve this behaviour by passing DirectorySynchronizationOptions.IncrementalValues to our DirSyncRequestControl.

Once you have your initial DirSync cookie only the changes made to the membership of the group will be returned instead of the entire member attribute. The SearchResultEntry representing the group will contain two DirectoryAttributes:

  • The DirectoryAttribute “member;range=0-0″ contains all delete operations
  • The DirectoryAttribute “member;range=1-1″ contains all add operations

Now we know which member was affected and what type of operation it was enabling us to write some neat code to act upon these changes.