如何查询一个域的用户是否是另一个 AD 域中的组的成员? [英] How can I query if a user of one domain is a member of a group in another AD domain?

问题描述

我有一系列应用程序都使用我创建的相同 C#、.Net 2.0 代码来检查用户是否是 Active Directory 组的成员.

I have a series of applications that all use the same C#, .Net 2.0 code that I've created to check and see if a user is a member of an Active Directory group.

直到最近，当我将来自另一个受信任的 AD 域的用户添加到我的一个 AD 组时，我的代码才遇到任何问题.我的问题是如何检查用户是否是 Active Directory 组的成员，无论其域如何.换句话说，他们可能与我的组在同一个域中，也可能不在同一个域中.下面是我编写并使用多年的代码，用于搜索用户是否在 Active Directory 组中.我不确定我从哪里改编了这段代码，但我假设它来自 MSDN 文章.此外，该解决方案必须适用于 .Net 2.0 框架.我在 .Net 3.5 中找到了很多可能解决这个问题的答案.不幸的是，这不适用于我的场景.

I haven't had any trouble with my code until recently, when I added a user from another, trusted AD domain to one of my AD groups. My question is how can I check to see if a user is a member of an Active Directory group, regardless of their domain. In other words, they may or may not be in the same domain as my group. Below is the code that I have written and used for years to search to see if the user is in an Active Directory group. I'm not sure where I adapted this code from but I'd assume it came from an MSDN article. Also, the solution must be for the .Net 2.0 framework. I have found quite a few answers that may work for this problem in .Net 3.5. Unfortunately, that won't work for my scenario.

//This method takes a user name and the name of an AD Group (role).  
//Current implementations of this method do not contain the user's domain 
//with userName, because it comes from the Environment.UserName property.
private static bool IsInRole(string userName, string role)
{
    try
    {
        role = role.ToLowerInvariant();
        DirectorySearcher ds = new DirectorySearcher(new DirectoryEntry(null));
        ds.Filter = "samaccountname=" + userName;
        SearchResult sr = ds.FindOne();
        DirectoryEntry de = sr.GetDirectoryEntry();
        PropertyValueCollection dir = de.Properties["memberOf"];
        for (int i = 0; i < dir.Count; ++i)
        {
            string s = dir[i].ToString().Substring(3);
            s = s.Substring(0, s.IndexOf(',')).ToLowerInvariant();
            if (s == role)
                return true;
        }
        throw new Exception();
    }
    catch
    {
        return false;
    }
}

推荐答案

这不是你等待的答案，但我希望它能有所帮助.

This is not the answer you are waiting for, but I hope it can help.

第一 ;您假设您的代码在域中工作，但我看不到它在哪里照顾用户主要组".如果您选择一个组作为用户主体组"，则该组不再是成员属性的一部分.

First ; You suppose you code is working in a domain, but I don't see where it takes care of the user 'principal group'. If you select a group as the 'user principal group', this group is no longer part of the member attribute.

第二 ;据我了解，查看用户是否存在于组中的一种方法(我希望不是唯一的，但我仍在寻找)是recusively"查找用户'group' 对象的 'member' 属性中的 DN.因此，在您的情况下，您可能会询问您的域和另一个域.您可以对每个域进行一次搜索.以下是使用控制的递归单次搜索"示例:

Second ; In my understanding, a way (I hope not the only one, but I'am still looking for) to see, if a user, is present in a group is to 'recusively' look for the user DN in the 'member' attribute of 'group' objects. So, in your case, you may ask your domain and the other domain. You can do that doing ONE search per domain. Here is a sample of such a 'recursive one shoot search' using control :

/* Connection to Active Directory
 */
string sFromWhere = "LDAP://WIN-COMPUTER:389/";
DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom\user", "password");

/* To find all the groups that "user1" is a member of :
 * Set the base to the groups container DN; for example root DN (dc=dom,dc=fr) 
 * Set the scope to subtree
 * Use the following filter :
 * (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)
 */
DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
dsLookFor.Filter = "(member:1.2.840.113556.1.4.1941:=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)";
dsLookFor.SearchScope = SearchScope.Subtree;
dsLookFor.PropertiesToLoad.Add("cn");

SearchResultCollection srcGroups = dsLookFor.FindAll();

备注:例如，您可以使用更准确的过滤器来排除通讯组.

Remark : you can use a more accurate filter to exclude distribution groups for example.

已编辑(回答评论问题):

Edited (to answer comments questions) :

首先:需要凭据吗?如果请求是从属于域或批准域的计算机完成的，我会拒绝.

First : Are the credentials needed ? I would say no if the request is done from a computer that belongs to the domain or the approved domain.

第二和第三:是的，Microsoft 在 AD 搜索过滤器语法.我编写这个过滤器的方式是从样本中扣除.

Second and third : Yes filters are documented by Microsoft in AD Search Filter Syntax. The way I wrote this filter is a deduction from the samples.

这篇关于如何查询一个域的用户是否是另一个 AD 域中的组的成员?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！