使用Sharepoint API获取AD域组的成员 [英] Getting members of an AD domain group using Sharepoint API
问题描述
foreach(SPUser用户在SPContext.Current中。 Web.AllUsers)
{
...
}
很重要的是,我可以将一个域安全组添加到Sharepoint组(如访问者),从而一次添加许多用户(更简单的管理)。但我的代码至少没有看到这些用户,直到他们第一次登录(如果他们有足够的权限)。在这种情况下,我只能看到域安全组 SPUser 对象实例,其 IsDomainGroup 设置为 true 。
是否可以通过Sharepoint 获取域组成员,而无需使用Active Directory查询(这是我宁愿避免的事情,因为您可能需要足够的权限进行此类操作=更多管理:Sharepoint权利+ AD权限)。
您可以使用方法 SPUtility.GetPrincipalsInGroup ( MSDN )。
除之外,所有参数都是自解释的字符串输入,这是安全组的NT帐户名称:
bool reachedMaxCount;
SPWeb web = SPContext.Current.Web;
int limit = 100;
string group =Domain\\SecurityGroup;
SPPrincipalInfo [] users = SPUtility.GetPrincipalsInGroup(web,group,limit,out reachMaxCount);
请注意,此方法不能解决嵌套安全组。此外,执行用户需要在当前网络上浏览用户信息权限( SPBasePermissions.BrowseUserInfo )。
更新:
private void ResolveGroup(SPWeb w,string name,List< string> users)
{
foreach(SPPrincipalInfo i in SPUtility.GetPrincipalsInGroup(w,name,100,out b))
{
if(i.PrincipalType == SPPrincipalType.SecurityGroup)
{
ResolveGroup(w,i.LoginName,users);
}
else
{
users.Add(i.LoginName);
}
}
}
列表< string> users = new List< string>();
foreach(SPConser.Current.Web.AllUsers中的SPUser用户)
{
if(user.IsDomainGroup)
{
ResolveGroup(SPContext.Current.Web,user .LoginName,users);
}
else
{
users.Add(user.LoginName);
}
}
编辑: p>
[...]诉诸于Active Directory查询(这是我宁愿避免的,因为您可能需要足够的权限进行此类操作。 ..]
当然这是真的,但SharePoint也必须查找AD,这就是为什么一个应用程序池服务帐户需要具有对AD的读取权限
换句话说,如果您将代码恢复到进程帐户,则应该对AD执行查询是安全的。
In my Sharepoint code I display a list of all defined users via:
foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
...
}
The great part is, I can add a domain security group to a Sharepoint group (like Visitors) thus adding many users at once (simpler administration). But my code doesn't see those users at least not until they log-in for the first time (if they have sufficient rights). In this case I can only see the domain security group SPUser object instance with its IsDomainGroup set to true.
Is it possible to get domain group members by means of Sharepoint without resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations = more administration: Sharepoint rights + AD rights).
You can use the method SPUtility.GetPrincipalsInGroup (MSDN).
All parameters are self-explaining except string input, which is the NT account name of the security group:
bool reachedMaxCount;
SPWeb web = SPContext.Current.Web;
int limit = 100;
string group = "Domain\\SecurityGroup";
SPPrincipalInfo[] users = SPUtility.GetPrincipalsInGroup(web, group, limit, out reachedMaxCount);
Please note that this method does not resolve nested security groups. Further the executing user is required to have browse user info permission (SPBasePermissions.BrowseUserInfo) on the current web.
Update:
private void ResolveGroup(SPWeb w, string name, List<string> users)
{
foreach (SPPrincipalInfo i in SPUtility.GetPrincipalsInGroup(w, name, 100, out b))
{
if (i.PrincipalType == SPPrincipalType.SecurityGroup)
{
ResolveGroup(w, i.LoginName, users);
}
else
{
users.Add(i.LoginName);
}
}
}
List<string> users = new List<string>();
foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
if (user.IsDomainGroup)
{
ResolveGroup(SPContext.Current.Web, user.LoginName, users);
}
else
{
users.Add(user.LoginName);
}
}
Edit:
[...] resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations [...]
That's true, of course, but SharePoint has to lookup the AD as well. That's why a application pool service account is required to have read access to the AD. In other words, you should be safe executing queries against the AD if you run your code reverted to the process account.
这篇关于使用Sharepoint API获取AD域组的成员的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
