ADSI间接组成员 [英] ADSI Indirect Group Membership

问题描述

我正在尝试创建一种方法，该方法接受Active Directory安全组的列表并返回布尔响应，以表明用户是否是成员（直接或间接）。我正在使用Adaxes（基本上使用其自身的某些功能扩展了ADSI）。他们有一个对象（IAdmGroup），它为组的所有成员（直接和间接）返回byte []的数组。如果可以的话，我想避免使用该方法，因为某些组下有非常大的组（超过10,000个用户），如果可以帮助，我也不想影响性能。

I am trying to create a method that accepts a list of Active Directory security groups and returns a boolean response for whether or not the user is a member (either direct or indirect). I am using Adaxes (which basically extends ADSI with some of their own functionality). They have an object (IAdmGroup) that returns an array of byte[] for all members (direct and indirect) for a group. I want to avoid using that method if I can because some of the groups have very large groups under them (10,000+ users) and I don't want to impact performance if I can help it.

这里是我的问题的一个示例：
组1拥有组2。用户1是组2的成员。如果我通过方法用户1和组1，则应该获得 true。第1组中也有第3组。第3组有10,000个成员，我讨厌不得不将该组中的所有10,000+个成员拉入一个集合并在该集合中进行搜索以查看用户1是否在其中。

Here is an example of my problem: Group 1 has Group 2 as a member. User 1 is a member of Group 2. If I pass my method User 1 and Group 1 I should get "true". Group 1 also has group 3 in it. Group 3 has 10,000 members and I would hate to have to pull all 10,000+ members of a that group into a collection and search through the collection to see if User 1 is in it.

我正在使用C＃、. Net4.0和WCF。

I am using C#, .Net4.0, and WCF.

这是我到目前为止所拥有的（我知道不多）

Here's what I have so far (I know it's not much)

public Dictionary<string, bool> CheckGroupMembership(List<string> groups, string guid)
{

    var resp = new Dictionary<string, bool>();
    foreach (string group in groups)
    {
        var user = getIADsUser("Adaxes://<GUID=" + guid + ">"); //gets the IADsUser object
        var adGroup = GetGroup(group); //Gets IADsGroup

    }
}

推荐答案

您可以使用 System.DirectoryServices.AccountManagement 和 WindowsPrincipal 。

PrincipalContext context = new PrincipalContext(ContextType.Domain, "DomainName");
UserPrincipal user = UserPrincipal.FindByIdentity(context, guid);

WindowsPrincipal wpuser = new WindowsPrincipal(new WindowsIdentity(user.UserPrincipalName));
bool blIsInRole = wpuser.IsInRole("TheGroupName");
if (blIsInRole)
  Console.WriteLine("IsInRole : Belongs too");
else
  Console.WriteLine("IsInRole : Don't Belongs too");

这篇关于ADSI间接组成员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！