使用 Sharepoint API 获取 AD 域组的成员 [英] Getting members of an AD domain group using Sharepoint API

问题描述

在我的 Sharepoint 代码中，我通过以下方式显示所有已定义用户的列表:

In my Sharepoint code I display a list of all defined users via:

foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
    ...
}

最重要的是，我可以将域安全组添加到 Sharepoint 组(如访客)，从而一次添加多个用户(更简单的管理).但是我的代码至少在他们第一次登录之前看不到这些用户(如果他们有足够的权限).在这种情况下，我只能看到域安全组 SPUser 对象实例，其 IsDomainGroup 设置为 true.

The great part is, I can add a domain security group to a Sharepoint group (like Visitors) thus adding many users at once (simpler administration). But my code doesn't see those users at least not until they log-in for the first time (if they have sufficient rights). In this case I can only see the domain security group SPUser object instance with its IsDomainGroup set to true.

是否可以通过 Sharepoint 获取域组成员，而无需求助于 Active Directory 查询(这是我宁愿避免的事情，因为您可能需要足够的权限来执行此类操作 = 更多管理:Sharepoint 权限 + AD 权限).

Is it possible to get domain group members by means of Sharepoint without resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations = more administration: Sharepoint rights + AD rights).

推荐答案

您可以使用方法 SPUtility.GetPrincipalsInGroup (MSDN).

You can use the method SPUtility.GetPrincipalsInGroup (MSDN).

除了string input，所有参数都是不言自明的，它是安全组的NT账户名:

All parameters are self-explaining except string input, which is the NT account name of the security group:

bool reachedMaxCount;
SPWeb web = SPContext.Current.Web;
int limit = 100;
string group = "Domain\SecurityGroup";
SPPrincipalInfo[] users = SPUtility.GetPrincipalsInGroup(web, group, limit, out reachedMaxCount);

请注意，此方法不会解析嵌套的安全组.此外，执行用户需要在当前网络上具有浏览用户信息的权限(SPBasePermissions.BrowseUserInfo).

Please note that this method does not resolve nested security groups. Further the executing user is required to have browse user info permission (SPBasePermissions.BrowseUserInfo) on the current web.

更新:

private void ResolveGroup(SPWeb w, string name, List<string> users)
{
    foreach (SPPrincipalInfo i in SPUtility.GetPrincipalsInGroup(w, name, 100, out b))
    {
        if (i.PrincipalType == SPPrincipalType.SecurityGroup)
        {
          ResolveGroup(w, i.LoginName, users);
        }
        else
        {
          users.Add(i.LoginName);
        }
    }
}

List<string> users = new List<string>();
foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
  if (user.IsDomainGroup)
    {
      ResolveGroup(SPContext.Current.Web, user.LoginName, users);
    }
    else
    {
      users.Add(user.LoginName);
    }
}

[...] 求助于 Active Directory 查询(这是我宁愿避免的事情，因为您可能需要足够的权限来执行此类操作 [...]

[...] resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations [...]

当然，这是真的，但 SharePoint 也必须查找 AD.这就是为什么需要应用程序池服务帐户才能对 AD 进行读取访问的原因.换句话说，如果您运行恢复到进程帐户的代码，您应该可以安全地执行针对 AD 的查询.

That's true, of course, but SharePoint has to lookup the AD as well. That's why a application pool service account is required to have read access to the AD. In other words, you should be safe executing queries against the AD if you run your code reverted to the process account.

这篇关于使用 Sharepoint API 获取 AD 域组的成员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！