AD User Attribute conundrums – Reading a AD User Attribute when its value is “<Not Set>”


How does one read in and start processing an AD User Attribute when it’s value  is NOT SET? When it is set to some legal value it is very easy to read and extract the value and this is well documented. But when it is NOT SET, then there is no clue as to how to read without it blowing up in your face.

I was working on a custom application application development and had the need to read in  user’s AD attributes. For those that are new to this, an Active Directory (AD) user can have several attributes. Examples would be userName, Account Expiry Date, Smart Card Required for Log on, etc.,.

In this case I had to read in the values of a custom attribute that was added to the AD Schema.

Typically one would read in the string value using the following notation.


Now this will work as long as the actual value stored is a non null. When you use ADSIEDIT.MSC tool to see the property values, if they are null you would see them as <Not Set>. If you try to use the same code as above to read in a user property’s value when it is  not set then it would give a null reference exception. This caused me some (countless hours) grief and nowhere could I found it documented, on how to read in the value when it is unset like this. The trick is to read in the value into an object and then check for the object’s null’ness. If it is not set, then you don’t try to read and cast it. Else go ahead and read it and start processing.


string customString; 

     Object o = user.Properties["customSecurityFlag"].Value;

       if (o == null)
            customString = "Unknown flag value";

            int customFlagValue = (int)user.Properties["customSecurityFlag"].Value;

            switch (customFlagValue)

               // case statements for integers

               // so on


Hopefully someone will find this useful or have a better solution.

Comments (2)

  1. Tim Bellette says:

    You could use a generic extension method:

    public static T GetProperty<T>(this System.DirectoryServices.SearchResult result, string propertyName)


       T value = default(T);

       if (result.Properties.Contains(propertyName) && result.Properties[propertyName].Count > 0)


           value = (T)result.Properties[propertyName][0];



    Then you just need to call:

    int customFlagValue = result.GetPropert<int>("customSecurityFlag"];

    Of course in this case, if the value did not exist then a value of 0 would return (default of int) – which may be used as a valid value of the "customSecurityFlag" and cause issues, but you could easily add an extension method which returns a boolean value indicating if the property exists in such cases.

  2. Siva says:

    Sure, this helped me today.  Having the same toruble to read a value not set already.  Thanks for the findings and solution.

Skip to main content