公元查询查找所有组的用户 - 缺少一组 [英] Querying AD for finding all groups of a user - Missing one group

问题描述

我有以下code。使用查询AD DirectorySearcher从让所有的AD组的用户。

I've the following code to query AD using DirectorySearcher to get all the AD groups for a user.

        List<string> Groups = new List<string>();

        //initialize the directory entry object 
        DirectoryEntry dirEntry = new DirectoryEntry(ldapPath);

        //directory searcher
        DirectorySearcher dirSearcher = new DirectorySearcher(dirEntry);

        //enter the filter
        dirSearcher.Filter = string.Format("(&(objectClass=user)(sAMAccountName={0}))", username);

        //get the member of properties for the search result
        dirSearcher.PropertiesToLoad.Add("memberOf");
        int propCount;
        SearchResult dirSearchResults = dirSearcher.FindOne();
        propCount = dirSearchResults.Properties["memberOf"].Count;
        string dn;
        int equalsIndex;
        int commaIndex;
        for (int i = 0; i <= propCount - 1; i++)
        {
            dn = dirSearchResults.Properties["memberOf"][i].ToString();

            equalsIndex = dn.IndexOf("=", 1);
            commaIndex = dn.IndexOf(",", 1);
            if (equalsIndex == -1)
            {
                return null;
            }
            if (!Groups.Contains(dn.Substring((equalsIndex + 1), (commaIndex - equalsIndex) - 1)))
            {
                Groups.Add(dn.Substring((equalsIndex + 1), (commaIndex - equalsIndex) - 1));
            }
        }

        return Groups;

但是，当我检查的memberOf选项卡中的AD的用户我有一个额外的组域用户，这我没有收到过这个code。

But when i check the 'memberof' tab in AD for a user I've one additional group 'Domain Users' which I'm not getting through this code.

任何想法？为什么我没有收到域用户中的的memberOf收藏？

Any ideas? Why I'm not getting 'Domain Users' in the 'memberof' collection?

推荐答案

组可以是其他组的成员。也许你的用户不是直接成员，但只有间接的成员？

Groups can be members of other groups. Maybe your users are not direct members, but only indirect members?

我做遍历所有组的子组，也检索时，一个广告组。

I do iterate all groups for child groups, too, when retrieving the groups on an AD.

但是要注意，你可能会得到无穷的递归，因为组可以（间接）互相牵制。我有一个很难找到这一点:-(现在我还记得每一个处理组中的全球名单，只一次，以避免这个过程）。

Be warned that you may get endless recursion, since groups can (indirectly) contain each other. I had a hard time finding this out :-( Now I remember each processed group in a "global" list to only process it once to avoid this).

我写了一个 $ C $的CProject文章与一些通用库，包含AD类也。 （参见 /工具/的DirectoryServices / 类的子文件夹中下载的ZIP文件）。

I've written a CodeProject article with some general purpose libraries, that contains AD classes, too. (See the classes in the "/Tools/DirectoryServices/" sub folder in the downloaded ZIP file).

这篇关于公元查询查找所有组的用户 - 缺少一组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！