Active Directory-跨域 [英] Active Directory - Cross Domains

问题描述

我在开发人员方面的角色。我有一个正在尝试检查用户是否有权访问共享的应用程序。在应用程序中，我检查该共享上的组。然后，我检查用户所在的所有组。

My role on the developer side. I have an application that I am trying check to see if a user has access to a share. In the application, I check the groups on that share. Then I check all the groups the user is in.

在一种情况下，我看不到用户在代码中还是Windows中都位于AD中
例如：

In one case, I not able to see the Local group that the users is in both code or the AD in windows For example:

域A\User1 > 域A\Global Group >执行没有看到：域B\Local Group

Domain A\User1 > Domain A\Global Group > Do not see: Domain B\Local Group

但是当我从Domain BI看时，看到的是：

But when I look from Domain B I see:

共享> 域B\本地组> 域A\全局组>没有看到域A 1User1

Share > Domain B\Local Group > Domain A\Global Group > Do not see Domain A\User1

是否存在一些安全设置未正确设置，因为我在Windows工具或代码中看不到。

Is there some security setting that is not set correctly since I dont see in the windows tool or code.

更新

我尝试了以下代码。我仍然看不到 Domain B\Local Group 。

I have tried the following code. I am still unable to to see Domain B\Local Group.

string account = "{User**Or**Group}";
string domain = "{Domain}";

string dn = ADHelper.GetDistinguishedName(domain, account);

using (var forest = Forest.GetCurrentForest())
{
          foreach (Domain domainName in forest.Domains)
          {
               Console.WriteLine(string.Format("Domain: {0}", domainName.Name));
        Console.WriteLine("========================================================");
              GetAllGroups(dn, domainName.Name);
              domainName.Dispose();
          }
      }

void GetAllGroups(string dn, string domain)
{

    DirectorySearcher ds = new DirectorySearcher(string.Format("GC://{0}", domain));
    ds.Filter = String.Format("(&(distinguishedName={0}))", dn);

    SearchResult sr = ds.FindOne();

    if (sr == null)
        return; 
    DirectoryEntry Diruser = sr.GetDirectoryEntry();
    Diruser.RefreshCache(new string[] { "tokenGroups" });

    for (int i = 0; i < Diruser.Properties["tokenGroups"].Count; i++)
    {
        SecurityIdentifier sid = new SecurityIdentifier((byte[])Diruser.Properties["tokenGroups"][i], 0);
        try
        {
            NTAccount nt = (NTAccount)sid.Translate(typeof(NTAccount));
            Console.WriteLine(nt.Value + "\t" + domain);
        }
        catch { }
    }

}

推荐答案

为了检索用户所属的所有组，您必须在整个林的每个域中查询一个全局编录以获取用户的成员资格（用户的tokenGroups属性将返回您嵌套的组），然后删除重复的组。

In order to retrieve all groups user belongs to you have to query one Global Catalog in each domain of the entire forest for the user's membership (user's tokenGroups attribute will return you nested groups as well), then remove duplicated groups.

请注意，Active Directory在一个查询中不能返回单个属性的超过5K的值。
如果用户属于1万个以上的组，则AD仅会向您返回前5K。在这种情况下，您必须使用称为范围检索的技术来查询成员身份。

Be aware that Active Directory cannot return more than 5K values of a single attribute in one query. If a user belongs to more than 10K groups, then AD will return you only first 5K. You have to use technique called range retrieval to query for membership in that case.

此外，可能还需要处理一些外部信任域。

Also, there may be some external trusted domains that you also have to handle.

其他解决方案是使用GetEffectiveRightsFromAcl函数来计算指定共享的有效用户权限。
此处

Other solution is to use GetEffectiveRightsFromAcl function to calculate effective user permissions for the specified share. The solution is described here

请注意，您需要将SE_OBJECT_TYPE.SE_LMSHARE作为对象类型传递给函数。

Note that you will need to pass SE_OBJECT_TYPE.SE_LMSHARE as and object type to the function.

这篇关于Active Directory-跨域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！