使用.Net DirectoryServices在Active Directory组成员身份上设置TTL [英] Use .Net DirectoryServices to Set TTL on Active Directory Group Membership

问题描述

我正在使用

I am using the tools in the .Net System.DirectoryServices.AccountManagement namespace to manage Active Directory groups - group creation, adding users to groups, removing users from group, etc. Here's some code that shows what I'm doing right now...

-- group creation
// connect to our organizational unit on the production Active Directory Server
using (PrincipalContext principalCtx = new PrincipalContext(ContextType.Domain, s_prodAdServerName, s_ouPath))
{
  // create group with necessary configuration and save
  using (GroupPrincipal group = new GroupPrincipal(principalCtx, groupName))
  {
    group.GroupScope = GroupScope.Local;
    group.IsSecurityGroup = true;
    group.Save();

    // group successfully created
    return true;
  }
}

---

-- add a member to a group
// find user on Active Directory Server
using (PrincipalContext userPrincipalCtx = new PrincipalContext(ContextType.Domain, s_userAdServerName))
{
  UserPrincipal user = UserPrincipal.FindByIdentity(userPrincipalCtx, userName);

  // if user exists, explicitly add to group on each production Active Directory server
  if (null != user)
  {
    // connect to each Active Directory Server
    foreach (string aServer in s_adServers)
    {
      // connect to our organizational unit on this server
      using (PrincipalContext groupPrincipalCtx = new PrincipalContext(ContextType.Domain, aServer, s_ouPath))
      {
        // connect to the group on this server
        using (GroupPrincipal group = GroupPrincipal.FindByIdentity(groupPrincipalCtx, groupName))
        {
          // add user to group on this server if it doesn't already exist
          if (!group.Members.Contains(user))
          {
            group.Members.Add(user);
            group.Save();
          }
        }
      }
    }

    // user is member of group on all production Active Directory Servers
    return true;
  }
  else
  {
    // user does not exist; cannot be added to group
    return false;
  }
}

我的问题是这样的:在上面概述的任一步骤(组创建或将用户添加到组)中，是否可以为组成员资格指定TTL.在这种情况下，组成员身份的所有实例都具有相同的TTL(实际上是所需的行为)是可以的，因此，如果可以通过某种方式在该组上设置该配置，这可能是可取的.需要说明的是，我不希望用户在TTL之后消失，而是需要坚持下去，我只是希望撤销他们在组中的成员资格.谢谢！

My question is this: at either step outlined above (group creation or adding a user to a group), is it possible to specify the TTL for group membership. In this case, it's okay if all instances of group membership have the same TTL (in fact, that is the desired behavior), so if that configuration can somehow be set on the group that's fine, and possibly preferable. To be clear, I don't want the user to go away after the TTL, that needs to persist, I just want their membership in the group to be revoked. Thanks!

推荐答案

此功能目前不存在，但它将在Active Directory的下一版本(Windows 10 Server版本)中提供.

This feature doesn't exist today but it is coming in the next version of Active Directory (the Windows 10 Server version).

这篇关于使用.Net DirectoryServices在Active Directory组成员身份上设置TTL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！