使用C＃在Active Directory中获取组成员列表的快速方法 [英] Fast way to get a list of group members in Active Directory with C#

问题描述

在网络应用中，我们希望显示属于特定组成员的用户的sam帐户列表。在许多情况下，网上论坛可以拥有500个或更多的成员，我们需要页面能够响应。

In a web app, we're looking to display a list of sam accounts for users that are a member of a certain group. Groups could have 500 or more members in many cases and we need the page to be responsive.

拥有约500名成员的小组，需要7-8秒的时间才能获得该小组所有成员的sam帐户列表。有更快的方法吗？我知道Active Directory管理控制台可以在一秒钟内完成它。

With a group of about 500 members it takes 7-8 seconds to get a list of sam accounts for all members of the group. Are there faster ways? I know the Active Directory Management Console does it in under a second.

我尝试了几种方法：

1）

PrincipalContext pcRoot = new PrincipalContext(ContextType.Domain)
GroupPrincipal grp = GroupPrincipal.FindByIdentity(pcRoot, "MyGroup");
List<string> lst = grp.Members.Select(g => g.SamAccountName).ToList();

2）

PrincipalContext pcRoot = new PrincipalContext(ContextType.Domain)
GroupPrincipal grp = GroupPrincipal.FindByIdentity(pcRoot, "MyGroup");
PrincipalSearchResult<Principal> lstMembers = grp.GetMembers(true);
List<string> lst = new List<string>();
foreach (Principal member in lstMembers )
{
    if (member.StructuralObjectClass.Equals("user"))
    {
        lst.Add(member .SamAccountName);
    }
}

3）

PrincipalContext pcRoot = new PrincipalContext(ContextType.Domain)
GroupPrincipal grp = GroupPrincipal.FindByIdentity(pcRoot, "MyGroup");
System.DirectoryServices.DirectoryEntry de = (System.DirectoryServices.DirectoryEntry)grp.GetUnderlyingObject();
List<string> lst = new List<string>();
foreach (string sDN in de.Properties["member"])
{
    System.DirectoryServices.DirectoryEntry deMember = new System.DirectoryServices.DirectoryEntry("LDAP://" + sDN);
    lst.Add(deMember.Properties["samAccountName"].Value.ToString());
}

推荐答案

这是一个递归搜索（

static void Main(string[] args)
{
  /* Connection to Active Directory
   */
  string sFromWhere = "LDAP://SRVENTR2:389/dc=societe,dc=fr";
  DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "societe\\administrateur", "test.2011");

  /* To find all the users member of groups "Grp1"  :
   * Set the base to the groups container DN; for example root DN (dc=societe,dc=fr) 
   * Set the scope to subtree
   * Use the following filter :
   * (member:1.2.840.113556.1.4.1941:=CN=Grp1,OU=MonOu,DC=X)
   */
  DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
  dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=Grp1,OU=MonOu,DC=societe,DC=fr)(objectCategory=user))";
  dsLookFor.SearchScope = SearchScope.Subtree;
  dsLookFor.PropertiesToLoad.Add("cn");
  dsLookFor.PropertiesToLoad.Add("samAccountName");  

  SearchResultCollection srcUsers = dsLookFor.FindAll();

  /* Just show each user
   */
  foreach (SearchResult srcUser in srcUsers)
  {
    Console.WriteLine("{0}", srcUser.Path);
    Console.WriteLine("{0}", srcUser.Properties["samAccountName"][0]);
  }

  Console.ReadLine();

}

对于@Gabriel Luci评论：Microsoft文档

For @Gabriel Luci comment : Microsoft documentation

memberOf

memberOf属性是一个多值属性，其中包含
个组，用户是直接成员，主要的
组除外，该组由primaryGroupId表示。组成员身份为
，具体取决于从中获取该属性
的域控制器（DC）：

The memberOf attribute is a multi-valued attribute that contains groups of which the user is a direct member, except for the primary group, which is represented by the primaryGroupId. Group membership is dependent on the domain controller (DC) from which this attribute is retrieved:

• 在包含用户的域的DC上，用户
  的memberOf关于该域中组的成员身份是完整的；
  ，memberOf不包含域
  在其他域中的本地和全局组中的用户成员身份。

• At a DC for the domain that contains the user, memberOf for the user is complete with respect to membership for groups in that domain; however, memberOf does not contain the user's membership in domain local and global groups in other domains.

在GC服务器上，对于
的memberOf，用户对于所有通用组成员身份都是完整的。
如果DC的两个条件都成立，则这两组数据都包含在memberOf中。
。

At a GC server, memberOf for the user is complete with respect to all universal group memberships. If both conditions are true for the DC, both sets of data are contained in memberOf.

请注意，此属性在
个成员属性中列出了包含用户的组-它不包含
个嵌套前辈的递归列表。例如，如果用户O是组C的成员，并且
组B和组B嵌套在组A中，则
用户O的memberOf属性将列出组C和组B，而不列出组A 。

Be aware that this attribute lists the groups that contain the user in their member attribute—it does not contain the recursive list of nested predecessors. For example, if user O is a member of group C and group B and group B were nested in group A, the memberOf attribute of user O would list group C and group B, but not group A.

此属性未存储-它是计算后的反向链接属性。

This attribute is not stored—it is a computed back-link attribute.

这篇关于使用C＃在Active Directory中获取组成员列表的快速方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！