Active Directory:主体类-S.DS.AM与S.DS.AD [英] Active Directory: The Principal Class - S.DS.AM vs S.DS.AD
问题描述
我正在处理Active Directory的访问审核报告.我正在使用LDAP通过SSIS中的C#脚本组件将数据提取到SQL Server数据库中.这是我第一次涉足AD,因此我自由地承认缺乏熟悉的知识.我试图通过询问有经验的人来消除盲人.如果我混用了我的任何隐喻,请提前原谅我.
I am working on an access audit report for Active Directory. I am extracting data via a C# script component in SSIS, using LDAP, into a SQL Server database. This is my first major foray into AD, so I freely admit a lack of intimate knowledge. I am trying to remove the blinders by asking those with experience on the topic. Pardon me in advance if I have mixed any of my metaphors.
关于为所有用户检索数据,最好是坚持使用Principal类,并通过S.DS.AM访问GroupPrincipal,UserPrincipal和ComputerPrincipal(即具体类),还是最好获取所有内容来自S.DS.AD(请参阅下面的参考资料)?我知道两者都是S.DS的子类,因此使用S.DS.AM时可能会错过S.DS.AD中未包含的对象. S.DS.AD中是否包含任何相关的数据或对象,但S.DS.AM中是否包含这些数据或对象,这将有助于访问控制审核?另外,我了解到,如果PageSize = 1000,则可能需要使用S.DS.AD,然后遍历S.DS.AM.
With respect to retrieving data for all users, is it best just to stick with the Principal Class, and access GroupPrincipal, UserPrincipal, and ComputerPrincipal (i.e. concrete classes) via S.DS.AM, or is it better to get everything from S.DS.AD (see reference below)? I understand that both are subclassed off S.DS, so it is possible to miss objects not contained in the from S.DS.AD when using S.DS.AM. Is there any pertinent data or objects that is contained in S.DS.AD, but not in S.DS.AM, that would be helpful for an access control audit? Also, I understand that if PageSize=1000 then I may need to go with S.DS.AD and then loop through S.DS.AM.
如果最好使用S.DS.AM,是否可以捕获已创建的抽象类或辅助类,并将其从具体类中子类化?我会只使用StructuralObjectClass属性值吗?
If it is best to use S.DS.AM, is there a way to capture any abstract or auxillary classes that have been created and are sub-classed off of the concrete classes? Would I just use StructuralObjectClass property value?
S.DS.AD: https://msdn.microsoft .com/en-us/library/system.directoryservices.activedirectory(v = vs.110).aspx
推荐答案
System.DirectoryServices.AccountManagement命名空间是System.DirectoryServices的包装.命名空间包含的类涵盖了程序员在使用AD时遇到的最常见情况.这些类旨在在中小型环境中执行一组有限的任务,并存在性能问题.
System.DirectoryServices.AccountManagement namespace is a wrapper over System.DirectoryServices. The namespace contains classes covering the most common cases which programmers face, while working with AD. These classes are designed to perform a limited set of tasks in small to medium environments and have performance issues.
例如,GroupPrincipal.Members将在首次呼叫时加载整个组成员身份,这在企业环境中可能并不理想,因为企业环境中组可能包含10-100k个主体,而范围检索是最佳选择.
For example GroupPrincipal.Members will load the entire group membership on first call, which may not be the desired behavior in enterprise environments where groups may contain 10-100k principals and range retrieval is the best option.
使用System.DirectoryServices或System.DirectoryServices.Protocols可以管理与AD通信时进程使用的资源(RAM,网络流量).
Using System.DirectoryServices or System.DirectoryServices.Protocols allows you to manage resources (RAM, network traffic) that your process uses while communicating with AD.
System.DirectoryServices.ActiveDirectory可以在每种环境中使用,因为这些类返回的数据量非常小(例如Active Directory架构,站点,域控制器)
System.DirectoryServices.ActiveDirectory may be used in every environment, as the amount of data these classes return is quite small (e.g. Active Directory schema, sites, domain controllers)
这篇关于Active Directory:主体类-S.DS.AM与S.DS.AD的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
