将成员从受信任的域添加到 AD 组 [英] Add member to AD group from a trusted domain

问题描述

我有两个域，处于信任关系中，我试图从 C# Web 应用程序管理它们.为此，我必须模拟两个不同的技术用户，但效果很好，所以我不会强调那部分代码.

I have two domains, in a trusted relationship, that I'm trying to manage from a C# web application. To do that, I have to impersonate two different technical users, but that works good, so I will not emphasize that part of the code.

要为文件系统构建适当且易于管理的 ACL，我必须

To build proper and easy to manage ACLs for the file system, I must

• 在域 A 中创建一个组(好的！)
• 在 domainB 中查找用户(好的！)
• 将用户添加到组中(提交更改时失败，错误消息:服务器上没有此类对象.(来自 HRESULT 的异常:0x80072030))

如果我添加来自同一个域的用户，则代码运行良好，所以我相信我在这里只遗漏了一小部分信息.我使用本文档作为参考看到了这个问题 以及(还有一些引用此错误消息)，但它们都没有帮助.

If I'm adding a user from the same domain, the code works perfectly, so I believe I'm only missing a small partial info here. I used this document as a reference and saw this question as well (and a few more citing this error message) but neither of them helped.

代码(删除了try-catch块以使其更简单)

Code (try-catch block removed to make it simpler)

// de is a DirectoryEntry object of the AD group, received by the method as a parameter
// first impersonation to search in domainB
// works all right
if (impersonator.impersonateUser("techUser1", "domainB", "pass")) {
    DirectoryEntry dom = new DirectoryEntry("LDAP://domainB.company.com/OU=MyOU,DC=domainB,DC=company,DC=com", "techUser1", "pass");
    de.Invoke("Add", new object[] { "LDAP://domainB.company.com/CN=theUserIWantToAdd,OU=MyOU,DC=domainB,DC=company,DC=com" });
    // de.Invoke("Add", new object[] { "LDAP://domainA.company.com/CN=anotherUserFromDomainA,OU=AnotherOU,DC=domainB,DC=company,DC=com" });
    impersonator.undoImpersonation();
}

// second impersonation because the group (de) is in domainA
// and techUser2 has account operator privileges there
if (impersonator.impersonateUser("techUser2", "domainA", "pass"))
{
    de.CommitChanges();
    impersonator.undoImpersonation();
    return true;
}
else
{
    // second impersonation was unsuccessful, so return an empty object
    return false;
}

第 6 行有效，如果我调试它或强制将属性写入 HttpResponse，它显然就在那里.所以 LDAP 查询似乎没问题.

Line 6 works, if I debug it or force the properties to be written to HttpResponse, it is clearly there. So the LDAP queries seem to be OK.

此外，如果我注释掉第 6 行并取消注释第 7 行，那么基本上我添加了一个来自同一域的用户，整个事情会奇迹般地运行.对于域B，我被卡住了.有什么好的建议吗?

Also, if I comment out line 6 and uncomment 7, so basically I add a user from the same domain, the whole thing works miraculously. With domainB, I'm stuck. Any good piece of advice?

推荐答案

按照你的代码，我看到你得到 de 作为参数，它在 Domain A.然后你正在创建 DirectoryEntry 对象 dom，它被 模拟，但从未被使用过.但是，您正在尝试使用 LDAP 直接将对象从 Domain B 添加到 de.这一行:

Following your code, I see that you're getting de as a parameter, which is in Domain A. Then you're creating DirectoryEntry object dom, which is getting impersonated, but never getting used. However, you're trying to add an object from Domain B to de directly using LDAP. This line:

de.Invoke("Add", new object[{"LDAP://domainB.company.com/CN=theUserIWantToAdd,OU=MyOU,DC=domainB,DC=company,DC=com" }); 

没有被模拟.

假设您的 impersonation 工作正常， 使用 dom 对象，该对象已经 impersonated 和 DirectorySearcher在Domain B中找到用户，然后将Domain B中的用户对象添加到de.

Assuming your impersonation works correctly, use dom object which is already impersonated with DirectorySearcher to find the user in Domain B and then add the user object from Domain B to de.

...
using (DirectoryEntry dom = new DirectoryEntry("LDAP://domainB.company.com/OU=MyOU,DC=domainB,DC=company,DC=com", "techUser1", "pass"))
{
    using (DirectorySearcher searcher = new DirectorySearcher(dom))
    {
        searcher.Filter = "(&(objectClass=user)(CN=theUserIWantToAdd))";
        SearchResult result = searcher.FindOne();
        de.Invoke("Add", new object[] { result.Path });
    }
}
...

UDPATE

此示例将向您展示如何从一个域中获取用户 SID、从另一个域中搜索组并使用 SID 将用户添加到组中.

UDPATE

This example will show you how to get user SID from one domain, search group from another domain and add user to group using SID.

//GET THE USER FROM DOMAIN B
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(domainContext, UPN))
{
    if (userPrincipal != null)
    {
       //FIND THE GROUP IN DOMAIN A
       using (GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, groupName))
       {
          if (groupPrincipal != null)
          {
             //CHECK TO MAKE SURE USER IS NOT IN THAT GROUP
             if (!userPrincipal.IsMemberOf(groupPrincipal))
             {
                string userSid = string.Format("<SID={0}>", userPrincipal.SID.ToString());
                DirectoryEntry groupDirectoryEntry = (DirectoryEntry)groupPrincipal.GetUnderlyingObject();
                groupDirectoryEntry.Properties["member"].Add(userSid);
                groupDirectoryEntry.CommitChanges();
              }
           }
        }
     }
 }

请注意，我跳过了上面代码中的所有impersonation.

Please note that I skipped all the impersonation in the above code.

这篇关于将成员从受信任的域添加到 AD 组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！