如何检查用户是否属于 AD 组? [英] How to check if a user belongs to an AD group?

问题描述

起初我认为下面的代码有效，因为如果我将组设为IT"，它会正常运行，因为我的用户名在活动目录中的 IT 组中.我学到的是，无论我的用户名是否在 IT 组中，它总是返回 true，如果我将其更改为我所在的任何其他组，它总是返回 false.任何帮助将不胜感激.

At first I thought the code below works because if I have the group as "IT" it functions correctly because my username is in the IT group in active directory. What I learned is it always returns true whether I have my username in the IT group or not and if i change it to any other group I am in it returns always returns false. Any help would be appreciated.

    private void tabControl1_SelectedIndexChanged(object sender, EventArgs e)
    {
        // tab control security for admin tab
        bool admin = checkGroup("IT");

        if ((admin == true) && (tabControl1.SelectedTab == tpHistory))
        {
            tabControl1.SelectedTab = tpHistory;
        }
        else if ((admin == false) && (tabControl1.SelectedTab == tpHistory))
        {
            tabControl1.SelectedTab = tpRequests;
            MessageBox.Show("Unable to load tab. You have insufficient privileges.",
                "Access Denied", MessageBoxButtons.OK, MessageBoxIcon.Stop);
        }
    }

    // check active directory to see if user is in Marketing department group
    private static bool checkGroup(string group)
    {
        WindowsIdentity identity = WindowsIdentity.GetCurrent();
        WindowsPrincipal principal = new WindowsPrincipal(identity);
        return principal.IsInRole(group);
    }

推荐答案

由于您使用的是 .NET 3.5 及更高版本，您应该查看 System.DirectoryServices.AccountManagement (S.DS.AM) 命名空间.在此处阅读所有相关信息:

Since you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

• 在 .NET Framework 3.5 中管理目录安全主体
• System.DirectoryServices.AccountManagement 上的 MSDN 文档

基本上，您可以定义域上下文并轻松找到 AD 中的用户和/或组:

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "DOMAINNAME");

// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");

// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");

if(user != null)
{
   // check if user is member of that group
   if (user.IsMemberOf(group))
   {
     // do something.....
   } 
}

新的 S.DS.AM 使在 AD 中与用户和组一起玩变得非常容易！

The new S.DS.AM makes it really easy to play around with users and groups in AD!

这篇关于如何检查用户是否属于 AD 组?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！