如何正确检查用户是否属于Active Directory组? [英] How to check if a user belongs to an Active Directory group properly?
问题描述
嘿那里!
$
我在检查用户是否属于Active Directory组时遇到问题。
第一种方法找到有问题的用户和他所属的组,然后检查他是否属于特定组。
首先我调用userBelongsToGroup()函数,然后将用户添加到组中,再次检查,然后从组中删除用户,最后再次检查。
这种方法总是返回false或总是为true(在所有三个检查中),我无法弄清楚原因。应该可以通过这种方式找到答案,但似乎我遗漏了一些东西。
这是第一个错误工作方法的代码:
Hey there!
I'm having a problem checking if a user belongs to an Active Directory group.
The first approach finds the user in question and groups he belongs to, then checks if he belongs to a specific group.
First I call the userBelongsToGroup() function, then add the user to the group, check again, then remove the user from the group and finally check again.
This approach always returns false or always true (on all three checks) and I can't figure out why. It should be possible to find the answer this way but it seems I'm missing something.
Here is the code for the first incorrectly working approach:
public static bool userBelongsToGroup(string userName)
{
try
{
PrincipalContext adPrincipalContext = new PrincipalContext(ContextType.Domain, Constant.ServerDomain);
UserPrincipal user = UserPrincipal.FindByIdentity(adPrincipalContext, userName);
PrincipalSearchResult<Principal> userGroups = user.GetAuthorizationGroups();
List<Principal> groupList = userGroups.Where(x => x.SamAccountName.Equals(Constant.GroupName)).ToList();
if (groupList.Count() > 0) return true;
}
catch (Exception ex)
{
//Log the error
}
return false;
}第二种方法首先找到该组,获取所有成员用户,然后检查该列表是否包含该用户题。这种方法正常工作!
第二种方法的代码:
The second approach finds the group first, gets all member users, and then checks if that list contains the user in question. This approach works properly!
Code for the second approach:
public static bool groupContainsUser(string userName)
{
try
{
PrincipalContext adPrincipalContext = new PrincipalContext(ContextType.Domain, Constant.ServerDomain);
GroupPrincipal group = GroupPrincipal.FindByIdentity(adPrincipalContext, Constant.GroupName);
PrincipalSearchResult<Principal> users = group.GetMembers(false);
if (users?.Select(x => x.SamAccountName).Count() > 0) return true;
}
catch (Exception ex)
{
//Log the error
}
return false;
}第一种方法我做错了什么?
What am I doing wrong with the first approach?
这是我的第一篇文章所以请警告我,如果我做错了什么。谢谢! :)
This is my first post so please warn me if I'm doing something wrong. Thanks! :)
推荐答案
您好StrbogPhifyl,
Hi StrbogPhifyl,
感谢您在此发帖。
对于第一个样本,如果用户存在但不在组中,则它也将返回false。第二种方法,不要在方法中使用userName,userName参数对此方法的作用是什么?如果您想获得正确答案,请在方法中查看
域名和组名。
For the fist sample, if the user exist but not in the group, it will return false as well. The second method, do not use the userName for the method, what does the userName parameter do for this method? If you want to get the correct answer, please check the domain name and the group name in your method.
这是一个供您参考的简单示例。
Here is a simple example for your reference.
public static void GetAD()
{
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
using (UserPrincipal user = new UserPrincipal(context))
{
user.SamAccountName = "userName";
using (PrincipalSearcher searcher = new PrincipalSearcher(user))
{
foreach (var result in searcher.FindAll())
{
DirectoryEntry de = result.GetUnderlyingObject() as DirectoryEntry;
DirectorySearcher searcher2 = new DirectorySearcher(de);
searcher2.Filter = string.Format("(&(objectCategory=user)(objectClass=user)(memberOf={0}))", "CN=xxxxx,OU=xxxxs,DC=xxxx,DC=xxxx,DC=xxxx,DC=xxxx");
SearchResultCollection results2 = searcher2.FindAll();
foreach (SearchResult res2 in results2)
{
ResultPropertyValueCollection Name = res2.Properties["name"];
foreach (var name in Name)
{
Console.WriteLine("The User {0} is in an AD group {1}.", name.ToString(), de.Properties["memberOf"][0]);
}
}
}
}
}
}
}如果用户存在且在组中,它将返回组名。如果它不存在,它将不显示任何内容。您可以使用这种方式检查用户名和组名。
If the user exists and in the group, it will return the group name. If it do not exist, it will show nothing. You could use this way to check the username and group name.
最诚挚的问候,
Wendy
这篇关于如何正确检查用户是否属于Active Directory组?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
