将Active Directory搜索为其他Domain \ User [英] Search Active Directory as Other Domain\User
问题描述
我开发了一个简单的VB.net应用程序,允许为Active Directory中的任何用户检索和更改单个字段。目的是使用委托权限,应用程序将允许此字段由基本管理员控制,并避免我们必须为这些管理员提供整个Active Directory用户和计算机应用程序。
运行应用程序时,它会要求您输入域用户名和密码,然后使用以下调用将其用于连接到Active Directory:
de = New DirectoryServices.DirectoryEntry(LDAP:// DC = testdomain,DC = local,用户名,密码)
完美无缺当提供的用户名和密码用于域管理员帐户时,如果没有生成目录服务COM异常错误,如下所示:
8009030C:LdapErr:DSID- 0C0904DC,评论:AcceptSecurityContext错误,数据52e,v1db1
我已经尝试将权限和委托权限设置到Active Directory上,但似乎没有任何区别。有人可以给我一些建议来解决这个问题吗?
谢谢
你好,
您是否尝试将查询封装在Try ... Catch中以捕获错误。
尝试
de = 新 DirectoryServices.DirectoryEntry( LDAP:// DC = testdomain,DC = local,用户名,密码)
Catch Ex as 例外
Msgbox( 登录凭据无效,请重试。)
结束 Catch
从我的问题中我可以看到这是你在问什么?
问候
Dave
是的,代码已经有一个Try,Catch,End块如下:
试试
de = New DirectoryEntry(LDAP:// DC = dryland,DC = local,txtLogon.Text,txtPassword.Text,DirectoryServices.AuthenticationTypes.Secure)
ds = New DirectorySearcher(de)
Dim tmpName As String = de.Name
Catch dscomex As DirectoryServices.DirectoryServicesCOMException
MsgBox(dscomex.Message + vbCrLf + dscomex.ExtendedErrorMessage)
Catch ex As Exception
MsgBox(发生错误 - + ex.Message)
结束尝试
问题是每当我使用不是域管理员帐户的用户名/密码时,就会发生错误。当代码执行Dim tmpName As String = de.Name行时抛出错误。在Try,Catch,End块中,抛出DirectoryServicesCOMException错误,并且dscomex.ExtendedErrorMessage为8009030C:LdapErr:DSID-0C0904DC,注释:AcceptSecurityContext错误,数据52e,v1db1。但是,对于Domain Admin帐户,一切正常。
这真的很奇怪,因为我相信我确保我使用的非域管理员帐户具有合适的级别读取Active Directory的权限,但我一直收到此错误,它甚至不是一个简单的权限被拒绝错误,这是一个更加神秘的LDAP错误!
谢谢为了你的帮助
好的,更奇怪的。作为我测试的一部分,我将Domain Admin添加到另一个帐户,但它仍然提供完全相同的错误。所以,情况实际上是这样的:
1.如果我以DomainA\UserA身份登录到PC,并且在应用程序中我以DomainB\UserA身份登录,应用程序工作
2.如果我以DomainA\UserB身份登录到PC,并且在我登录为DomainB \ UserB的应用程序中,应用程序将失败
3 。如果我以DomainA\UserB身份登录到PC,并且在应用程序中我以DomainA\UserA身份登录,则应用程序正常工作
4.如果我以DomainA\UserA身份登录到PC,在应用程序中我登录为DomainB\UserB,应用程序失败
因此,哪个用户登录到PC似乎没关系是有道理的,因为我在从应用程序内登录第二个域时指定了域B用户名。但是,该应用程序仅适用于一次登录。我确定该问题与安全权限有关,但由于DomainB\UserA和DomainB\UserB都是域管理员,我看不出任何安全问题的原因。帮助!!
谢谢
Hi,
I have developed a simple VB.net application to allow a single field to be retrieved and changed for any user within Active Directory. The intention is that using delegated permissions, the application will allow this field to be controlled by basic admin staff, and avoid us having to give those admin staff the whole "Active Directory Users and Computers" application.
When you run the application, it asks you to enter a domain username and password, which it then uses to connect to Active Directory, using the following call:
de = New DirectoryServices.DirectoryEntry("LDAP://DC=testdomain,DC=local", username, Password)
This works perfectly when the username and password supplied are for a domain admin account, but if not generate a Directory Services COM Exception error, as follows:
"8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1"
I've tried setting permissions and delegated rights onto Active Directory, but nothing seems to make any difference. Can somebody please give me some advice to overcome this issue?
Thanks解决方案Hi There,
Have you tried encapsulating your query in a Try... Catch... to capture the error.
Try de = New DirectoryServices.DirectoryEntry("LDAP://DC=testdomain,DC=local", username, Password) Catch Ex as Exception Msgbox("Login Credentials Invalid, Please try again.") End Catch
From what i can see from your question this is what you are asking?
Regards
Dave
Yes, the code already has a Try, Catch, End block as follows:
Try
de = New DirectoryEntry("LDAP://DC=dryland,DC=local", txtLogon.Text, txtPassword.Text, DirectoryServices.AuthenticationTypes.Secure)
ds = New DirectorySearcher(de)
Dim tmpName As String = de.Name
Catch dscomex As DirectoryServices.DirectoryServicesCOMException
MsgBox(dscomex.Message + vbCrLf + dscomex.ExtendedErrorMessage)
Catch ex As Exception
MsgBox("Error Occurred - " + ex.Message)
End Try
The problem is that whenever I use a username/password that is NOT a Domain Admin account, the error occurs. The error is thrown when the code executes the line "Dim tmpName As String = de.Name". Within the Try, Catch, End block the DirectoryServicesCOMException error is thrown, and the dscomex.ExtendedErrorMessage is "8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1". However, for Domain Admin accounts, everything works fine
It's really strange because I believe I've ensured the non Domain Admin account I'm using has the right level of permissions to read the Active Directory, but I keep getting this error, and it's not even a simple "permission denied" error, it's a more cryptic LDAP error!
Thanks for your help
OK, even more strange. As part of my testing, I added Domain Admin to another account, but it still gives exactly the same error. So, the situation is actually like this:
1. If I logon to the PC as DomainA\UserA, and within the application I logon as DomainB\UserA, the application works
2. If I logon to the PC as DomainA\UserB, and within the application I logon as DomainB\UserB, the application fails
3. If I logon to the PC as DomainA\UserB, and within the application I logon as DomainA\UserA, the application works
4. If I logon to the PC as DomainA\UserA, and within the application I logon as DomainB\UserB, the application fails
So, it doesn't seem to matter which user has logged on to the PC (which makes sense, because I'm specifying the Domain B username when I log into the second domain from within the application). However, the application only works with one logon. I'm sure the issue is related to security permissions, but as both DomainB\UserA and DomainB\UserB are both Domain Admins, I can't see any reason for security issues. Help!!
Thanks
这篇关于将Active Directory搜索为其他Domain \ User的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
