从活动目录组中获取用户 [英] Get users from Acctive Directory Group

问题描述

我创建了一个 Active Directory 域名ADDOMAIN2"，其组名CommonUsers"有 8 个用户.但是当我对CommonUsers"组中的用户进行目录搜索时，它返回零结果.她是我的代码

I created an Active Directory domain name 'ADDOMAIN2' having a group name "CommonUsers" having 8 users. but when I do a Directory Search for users in group "CommonUsers" it returns zero result. hers is my code

       DirectorySearcher searcher = new DirectorySearcher();
        DirectoryEntry directoryEntry = new DirectoryEntry(string.Format("LDAP://{0}", "ADDOMAIN2"), "Administrator", "p@S$w0rd");
        string dnPath = directoryEntry.Properties["distinguishedName"].Value.ToString();

       // string path = string.Format("LDAP://{0}/{1}{2}", "ADDOMAIN2", "", dnPath);
        string path = "LDAP://ADDOMAIN2/CN=CommonUsers,DC=ADDomain2,DC=ADDomain01,DC=WaveDomain";
        directoryEntry.Path = path;
        searcher.SearchRoot = directoryEntry;
        searcher.Filter = "(&(objectCategory=person)(objectClass=user))";
        SearchResultCollection rs = searcher.FindAll();

知道这里有什么问题吗?

Any Idea what is wrong here?

谢谢

推荐答案

DirectorySearcher 不用于查找组内的用户.它用于在基本路径下查找对象.由于没有用户对象放置在您的 AD 组对象下，您将找不到任何东西.

DirectorySearcher is not used to find users inside a group. It's used to find objects under a base path. Since there is no user objects placed under your AD group object, you won't find anything.

在大多数情况下，您可以通过成员属性找到 AD 组中的用户对象.请注意 AD 组可以包含组或用户.因此，某些条目可能存在组.在某些情况下，成员属性不包含 AD 组或 AD 用户，它包含外部安全主体.如果您的用户来自另一个林，就会发生这种情况.主要组的处理方式也不同.即使域用户"是AD中大多数用户的主要组，其成员属性根本不包含任何内容.还有很多其他奇怪的事情使得枚举 AD 组对象变得非常困难.

In most cases, you can find the user objects in an AD group from its member attribute. Beware that AD group can contain either group or user. So, some of the entres there may be group. In some cases, the member attribute does not contain AD group nor AD user, it's containing a Foreign Security Principal. This happens if your user is coming from another forest. The primary group is also handled differently. Even "Domain User" is primary group of most of the users in AD, its member attribute doesn't contain anything at all. There are a lot other oddities that makes enumerating an AD group object really hard.

幸运的是，在 .NET 3.5 中，Microsoft 在框架中提供了一些有用的类来为您完成繁重的工作.查看 System.DirectoryServices.AccountManagement

Fortunately, in .NET 3.5, Microsoft provides some useful classes in the framework to do the dirty work for you. Check out System.DirectoryServices.AccountManagement

要获得一些快速示例，您可以查看此代码项目文章

To get some quick examples, you can check out this codeproject article

你的代码应该是这样的.

Your code should be something like this.

PrincipalContext context = new PrincipalContext(ContextType.Domain, "yourdomain.com");
GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "Domain Users");
foreach (Principal principal in groupPrincipal.GetMembers(false))
{
     Console.Out.WriteLine(principal.DistinguishedName);
}
Console.In.ReadLine();

这篇关于从活动目录组中获取用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！