确定用户是否在AD组中 [英] Determine if user is in AD group

问题描述

我需要能够确定用户是否是给定AD组的成员。

我有一个这样做的方法，但它不适合64位操作系统，所以我

需要找到另一条路线。我实际上认为另一条路线

可能实际上是一条更好的路线。


我不是ADSI专家（坦率地说，我发现它令人困惑）和我不想再花b $ b了解更多 - 我只想做这件事。


你们怎么去实现这个？


我发现一种方法可以在我的开发机器上工作但不在

服务器上：


Dim COURTHOUSE，WshNetwork，existingDrives，ADSysInfo，CurrentUser，

用户名，ComputerName

Dim strGroups，oGroup，x

设置WshNetwork = CreateObject（" WScript.Network"）

设置existingDrives = WshNetwork.EnumNetworkDrives


设置ADSysInfo = CreateObject（" ADSystemInfo"）

Response.Write ADSysInfo.UserName& "< BR>< BR>"

设置CurrentUser = GetObject（" LDAP：//"& ADSysInfo.UserName）<< ==错误

on server


UserName = LCase（wshNetwork.UserName）


ComputerName = LCase（WshNetwork.ComputerName）


Response.Write UserName& " " &安培; ComputerName


选择案例VarType（CurrentUser.MemberOf）

案例8

strGroups = LCase（CurrentUser.MemberOf）

案例8204

strGroups = LCase（加入（CurrentUser.MemberOf））

结束选择


回应。写strGroups

好​​吧，它不是抛光代码，但它在本地工作。然而，它在所述行上产生了一个

''80072020''。这似乎是一些

排序的权限问题，但我找不到解决方案。


有什么想法吗？


先谢谢。


克里斯

I need to be able to determine if the user is a member of a given AD group.
I have a method of doing this, but it is not suitable for 64bit OS''s, so I
need to find an alternative route. I actually think an alternative route
might actually be a better route.

I''m not an ADSI expert (frankly, I find it confusing) and I don''t want to
learn any more - I just want to be able to do this one thing.

How do you guys go about achieving this?

I found one method that worked on my development machine but not on the
server:

Dim COURTHOUSE, WshNetwork, existingDrives, ADSysInfo, CurrentUser,
UserName, ComputerName
Dim strGroups, oGroup,x

Set WshNetwork = CreateObject("WScript.Network")

Set existingDrives = WshNetwork.EnumNetworkDrives

Set ADSysInfo = CreateObject("ADSystemInfo")
Response.Write ADSysInfo.UserName & "<BR><BR>"
Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName) <<== error
on server

UserName = LCase(wshNetwork.UserName)

ComputerName = LCase(WshNetwork.ComputerName)

Response.Write UserName & " " & ComputerName

Select Case VarType(CurrentUser.MemberOf)
Case 8
strGroups = LCase(CurrentUser.MemberOf)
Case 8204
strGroups = LCase(Join(CurrentUser.MemberOf))
End Select

Response.Write strGroups
Ok, it''s not polished code, but it works locally. However it produces a
''80072020'' on the stated line. It seems to be a permissions issue of some
sort, but I can''t find a solution.

Any ideas?

Thanks in advance.

Chris

推荐答案

Hello Chris，

您的代码看起来完美无瑕。我还加倍，这是一个安全问题。要查询AD

信息，我们至少需要使用域用户的许可。我建议你

可以先检查你的ASP应用程序运行的帐户是什么。

如果你正在使用IIS 6，那么应该在

应用程序池的标识;如果它是IIS 5，您需要在组件服务管理器中识别IIS

应用程序。


BTW，以确认这是否是安全问题，您可以使用域用户帐户登录目标

服务器，并使用以下

代码创建一个VBS文件：


设置WshNetwork = CreateObject（" WScript.Network"）

设置ADSysInfo = CreateObject（" ADSystemInfo"）

msgbox ADSysInfo.UserName


设置CurrentUser = GetObject（" LDAP：//"& ADSysInfo.UserName）


UserName = LCase（wshNetwork.UserName）


ComputerName = LCase（WshNetwork.ComputerName）


msgbox UserName& " " &安培; ComputerName


选择案例VarType（CurrentUser.MemberOf）

案例8

strGroups = LCase（CurrentUser.MemberOf）

案例8204

strGroups = LCase（加入（CurrentUser.MemberOf））

结束选择


msgbox strGroups


如果以上代码可以成功执行，我们可以确保它是一个ASP

安全问题。


此致，


Luke Zhang

微软在线社区支持


========== ========================================

回复时发帖，请回复群组通过你的新闻阅读器

其他人可以从你的问题中学习并从中受益。

==================== ==============================


（此帖子提供AS IS，没有任何保证，也没有赋予

权利。

Hello Chris,

Your code looks flawless. I also double it is a security issue. To query AD
information, we need use at least a domain user''s permission. I suggest you
may first check what is the account your ASP application is running with.
If you are working with IIS 6, the account should be specified at the
application pool''s identity; If it is IIS 5, you need to the identiy of IIS
application in Components Services manager.

BTW, to confirm if this is a security issue, you may logon on the target
server with a domain user account, and create a VBS file with following
code:

Set WshNetwork = CreateObject("WScript.Network")
Set ADSysInfo = CreateObject("ADSystemInfo")

msgbox ADSysInfo.UserName

Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)

UserName = LCase(wshNetwork.UserName)

ComputerName = LCase(WshNetwork.ComputerName)

msgbox UserName & " " & ComputerName

Select Case VarType(CurrentUser.MemberOf)
Case 8
strGroups = LCase(CurrentUser.MemberOf)
Case 8204
strGroups = LCase(Join(CurrentUser.MemberOf))
End Select

msgbox strGroups

If above code can execute successfully, we can make sure it is an ASP
security issue.

Regards,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

" Luke Zhang [MSFT]" <卢****** @ online.microsoft.com>在消息中写道

news：fn ************** @ TK2MSFTNGXA01.phx.gbl ...

"Luke Zhang [MSFT]" <lu******@online.microsoft.com> wrote in message
news:fn**************@TK2MSFTNGXA01.phx.gbl...

设置CurrentUser = GetObject（" LDAP：//"& ADSysInfo.UserName）

[snip]

如果上面的代码可以执行成功之后，我们可以确定它是一个ASP
安全问题。

Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)

[snip]

If above code can execute successfully, we can make sure it is an ASP
security issue.

卢克，


如果我打电话登录到服务器时脚本运行正常。如果我从另一个工作站调用

页面，则会在上面的行中失败。


在这两种情况下，应用程序池都使用网络服务。这是

身份。我创建了另一个应用程序池并给了它相同的身份

，因为我用于SQL Server（基本上是一个标准的域用户），我将我的

应用程序添加到此池中。当我尝试测试页面时，我得到一个几乎空白的服务

不可用页面。


我尝试将身份设置为我的用户帐户（我是域管理员），但是

即使这样也没有用 - 它仍然说服务不可用。


任何想法？


谢谢


Chris

Luke,

If I call the script when logged in to the server, it runs fine. If I call
the page from another workstation, it fails at the line above.

In both cases, the application pool use the Network Service as it''s
identity. I created another application pool and gave it the same identity
as I use for SQL Server (basically a standard domain user), and I added my
app to this pool. When I try the test page, I get an almost-blank ''Service
Unavailable'' page.

I tried setting the Identity to my user account (I''m a domain admin), but
even this didnt work - it still says Service Unavailable.

Any ideas?

Thanks

Chris

您的用户帐户（域管理员）是否也是服务器上的本地管理员？并且，

是当你收到错误服务

不可用时启动的应用程序池。   


谢谢，


Luke Zhang

微软在线社区支持


=========== =======================================

回复时帖子，请回复群组通过你的新闻阅读器

其他人可以从你的问题中学习并从中受益。

==================== ==============================


（此帖子提供AS IS，没有任何保证，也没有赋予

权利。）

Is your user account (domain admin) also a loca admin on the server? And,
is the application pool is started when you got the error "Service
Unavailable."?

Thanks,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

这篇关于确定用户是否在AD组中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！