GroupPrincipal.Members.Remove（）不适用于大型AD组 [英] GroupPrincipal.Members.Remove() doesn't work with a large AD group

问题描述

我正在使用 System.DirectoryServices.AccountManagement 名称空间类可管理多个组的成员资格。这些小组控制着我们印刷会计系统的数量，其中一些小组非常庞大。我在从这些大型群组之一中删除任何用户时遇到了问题。我有一个说明问题的测试程序。请注意，我要测试的组不是嵌套的，但是user.IsMemberOf（）似乎也有相同的问题，而GetAuthorizationGroups（）正确显示了用户所属的组。该小组的成员大约有81K，由于Remove（）无法正常工作，该成员的数量应该超过这个数字，通常大约为65K。

I'm using the System.DirectoryServices.AccountManagement namespace classes to manage the membership of several groups. These groups control the population of our print accounting system and some of them are very large. I'm running into a problem removing any user from one of these large groups. I have a test program that illustrates the problem. Note that the group I'm testing is not nested, but user.IsMemberOf() also seems to have the same problem, whereas GetAuthorizationGroups() correctly shows the groups a user is a member of. The group in question has about 81K members, which is more than it should have since Remove() isn't working, and will normally be about 65K or so.

I很想听听其他有此问题并已解决的人的来信。我在Microsoft处开了个案子，但由于客服中心的时差大约为17小时，因此呼叫的周转速度很慢，因此他们要等到我通常回家后的一个小时才能上班。 p>

I'd be interested to hear from other people who have had this problem and have resolved it. I've got an open case with Microsoft, but the turn around on the call is slow since the call center is about 17 hours time difference so they don't arrive for work until about an hour before I usually leave for home.

using (var context = new PrincipalContext( ContextType.Domain ))
{
    using (var group = GroupPrincipal.FindByIdentity( context, groupName ))
    {
        using (var user = UserPrincipal.FindByIdentity( context, userName ))
        {
            if (user != null)
            {
                var isMember = user.GetAuthorizationGroups()
                                   .Any( g => g.DistinguishedName == group.DistinguishedName );
                Console.WriteLine( "1: check for membership returns: {0}", isMember );
                if (group.Members.Remove( user ))
                {
                    Console.WriteLine( "user removed successfully" );
                    group.Save();
                }
                else
                {
                    // do save in case Remove() is lying to me
                    group.Save();
                    Console.WriteLine( "user remove failed" );
                    var isStillMember = user.GetAuthorizationGroups()
                                            .Any( g => g.DistinguishedName == group.DistinguishedName );
                    Console.WriteLine( "2: check for membership returns: {0}", isStillMember );

                }
            }
        }
    }
}

推荐答案

原来，这是GroupPrincipal.Members.Remove（）代码中的一个错误，其中对拥有1500个以上成员的组，删除失败。 .NET 4.0 Beta 2中已修复此问题。我不知道他们是否有计划将该修复程序回移植到2.0 / 3.x。

Turns out this is a bug in the GroupPrincipal.Members.Remove() code in which remove fails for a group with more than 1500 members. This has been fixed in .NET 4.0 Beta 2. I don't know if they have plans to back port the fix into 2.0/3.x.

是获取基础DirectoryEntry，然后使用Invoke对IADsGroup对象执行Remove命令。

The work around is to get the underlying DirectoryEntry, then use Invoke to execute the Remove command on the IADsGroup object.

 var entry = group.GetUnderlyingObject() as DirectoryEntry;
 var userEntry = user.GetUnderlyingObject() as DirectoryEntry;
 entry.Invoke( "Remove", new object[] { userEntry.Path } );

这篇关于GroupPrincipal.Members.Remove（）不适用于大型AD组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！