如何确定所有组用户所属的（包括嵌套组）中的ActiveDirectory和.NET 3.5 [英] How to determine all the groups a user belongs to (including nested groups) in ActiveDirectory and .NET 3.5

问题描述

我有一个使用ActiveDirecotry授权的应用程序，它已经决定了它需要支持嵌套的AD组，例如：

I have an application that uses ActiveDirecotry authorisation and it has been decided that it needs to support nested AD groups, e.g.:

MAIN_AD_GROUP
     |
     |-> SUB_GROUP
              | 
              |-> User

所以，在没有用户的直接的 MAIN_AD_GROUP 中的一员。我希望能够寻找用户递归搜索嵌套在 MAIN_AD_GROUP 组。

So, the user in not directly a member of MAIN_AD_GROUP. I'd like to be able to look for the user recursively, searching the groups nested in MAIN_AD_GROUP.

主要的问题是，我使用的是.NET 3.5并且在.NET 3.5中 System.DirectoryServices.AccountManagement 中的错误，由此方法 UserPrincipal.IsMemberOf（）的不会为集团是超过1500个用户<工作/ EM> 。所以，我不能使用 UserPrincipal.IsMemberOf（）也没有，我不能切换到.NET 4任。

The main problem is that I'm using .NET 3.5 and there is a bug in System.DirectoryServices.AccountManagement in .NET 3.5 whereby the method UserPrincipal.IsMemberOf() will not work for groups with more than 1500 users. So I can't use UserPrincipal.IsMemberOf() and no, I can't switch to .NET 4 either.

我解决这个问题，最后用下面的函数工作：

I've worked around this last problem with the following function:

private bool IsMember(Principal userPrincipal, Principal groupPrincipal)
{
    using (var groups = userPrincipal.GetGroups())
    {
        var isMember = groups.Any(g => 
            g.DistinguishedName == groupPrincipal.DistinguishedName);
        return isMember;
    }
}

但 userPrincipal.GetGroups（）只返回该用户是直接成员的组。

But userPrincipal.GetGroups() only returns the groups of which the user is a direct member.

我怎样才能得到这与嵌套组的工作？

How can I get this to work with nested groups?

推荐答案

这个错误报告<一href="https://connect.microsoft.com/VisualStudio/feedback/details/522539/clr-forum-error-calling-principal-getauthorizationgroups-in-winxp-sp3">here在微软连接的以及下列code，它通过了 PrincipalSearchResult＆LT手动迭代解决此问题的工作;首席＆GT; 返回的对象，捕捉这个例外，并且在继续：

Workaround #1

This bug is reported here at Microsoft Connect along with the following code that works around this issue by manually iterating through the PrincipalSearchResult<Principal> returned objects, catching this exception, and continuing on:

PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();
var iterGroup = groups.GetEnumerator();
using (iterGroup)
{
    while (iterGroup.MoveNext())
    {
        try
        {
            Principal p = iterGroup.Current;
            Console.WriteLine(p.Name);
        }
        catch (NoMatchingPrincipalException pex)
        {
            continue;
        }
    }
}

变通办法＃2

另一个解决办法<一href="http://social.msdn.microsoft.com/Forums/en/csharpgeneral/thread/9dd81553-3539-4281-addd-3eb75e6e4d5d">found这里避免了 AccountManagement 类，并使用的System.DirectoryServices API，而不是：

Workaround #2

Another workaround found here avoids the AccountManagement class, and uses the System.DirectoryServices API instead:

using System;  
using System.Collections.Generic;  
using System.Linq;  
using System.Text;  
using System.DirectoryServices;  

namespace GetGroupsForADUser  
{  
    class Program  
    {  
        static void Main(string[] args)  
        {  
            String username = "Gabriel";  

            List<string> userNestedMembership = new List<string>();  

            DirectoryEntry domainConnection = new DirectoryEntry(); // Use this to query the default domain
            //DirectoryEntry domainConnection = new DirectoryEntry("LDAP://example.com", "username", "password"); // Use this to query a remote domain

            DirectorySearcher samSearcher = new DirectorySearcher();  

            samSearcher.SearchRoot = domainConnection;  
            samSearcher.Filter = "(samAccountName=" + username + ")";  
            samSearcher.PropertiesToLoad.Add("displayName");  

            SearchResult samResult = samSearcher.FindOne();  

            if (samResult != null)  
            {  
                DirectoryEntry theUser = samResult.GetDirectoryEntry();  
                theUser.RefreshCache(new string[] { "tokenGroups" });  

                foreach (byte[] resultBytes in theUser.Properties["tokenGroups"])  
                {  
                    System.Security.Principal.SecurityIdentifier mySID = new System.Security.Principal.SecurityIdentifier(resultBytes, 0);  

                    DirectorySearcher sidSearcher = new DirectorySearcher();  

                    sidSearcher.SearchRoot = domainConnection;  
                    sidSearcher.Filter = "(objectSid=" + mySID.Value + ")";  
                    sidSearcher.PropertiesToLoad.Add("distinguishedName");  

                    SearchResult sidResult = sidSearcher.FindOne();  

                    if (sidResult != null)  
                    {  
                        userNestedMembership.Add((string)sidResult.Properties["distinguishedName"][0]);  
                    }  
                }  

                foreach (string myEntry in userNestedMembership)  
                {  
                    Console.WriteLine(myEntry);  
                }  

            }  
            else 
            {  
                Console.WriteLine("The user doesn't exist");  
            }  

            Console.ReadKey();  

        }  
    }  
}  

这篇关于如何确定所有组用户所属的（包括嵌套组）中的ActiveDirectory和.NET 3.5的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！