获得从域本地组所有成员在多林环境 [英] Get all Members from Domain Local Group across multi-forest environment

问题描述

我有一个域A在森林A中的一部分域本地组。

I have a domain local group that is a part of domain A in forest A.

我想重复此组的所有成员。它遍历林A的所有域就好了，但不遍历是在域B组的所有成员，在森林B.

I am trying to iterate all the members in this group. It iterates through all the domains of forest A just fine, but does not iterate any members of the group that are in domain b, in forest B.

通过相同的code迭代开始在不同的林中的唯一办法？

Is the only approach to iterate through the same code starting in different forests?

我们已经使用 System.DirectoryServices.AccountManagement 班尝试过，但似乎有一个问题，他们和Windows Server 2012域控制器。

We have tried using the System.DirectoryServices.AccountManagement classes, but there appears to be an issue with them and Windows Server 2012 domain controllers.

private List<User> getUsersInGroup(string groupDN)
    {
        var users = new List<User>();

        using (DirectoryEntry de = new DirectoryEntry("GC://rootDSE"))
        {
            var rootName = de.Properties["rootDomainNamingContext"].Value.ToString();
            using (var userBinding = new DirectoryEntry("GC://" + rootName))
            {
                using (DirectorySearcher adSearch = new DirectorySearcher(userBinding))
                {
                    adSearch.ReferralChasing = ReferralChasingOption.All;
                    adSearch.Filter = String.Format("(&(memberOf={0})(objectClass=person))", groupDN);
                    adSearch.PropertiesToLoad.Add("distinguishedName");
                    adSearch.PropertiesToLoad.Add("givenname");
                    adSearch.PropertiesToLoad.Add("samaccountname");
                    adSearch.PropertiesToLoad.Add("sn");
                    adSearch.PropertiesToLoad.Add("title");
                    adSearch.PropertiesToLoad.Add("displayName");
                    adSearch.PropertiesToLoad.Add("department");

                    using (var searchResults = adSearch.FindAll())
                    {
                        foreach (SearchResult result in searchResults)
                        {
                            User u = new User();

                            u.UserName = result.Properties["samaccountname"][0].ToString();
                            u.DistinguishedName = result.Properties["distinguishedName"][0].ToString();
                            if (result.Properties.Contains("title"))
                            {
                                u.Title = result.Properties["title"][0].ToString();
                            }

                            if (result.Properties.Contains("department"))
                            {
                                u.Department = result.Properties["department"][0].ToString();
                            }

                            if (result.Properties.Contains("displayName"))
                            {
                                u.DisplayName = result.Properties["displayName"][0].ToString();
                            }
                            u.DomainName = getDomainFromDN(u.DistinguishedName);


                            users.Add(u);
                        }
                    }
                }


            }
        }


        return users;
    }

感谢您在您的帮助。

推荐答案

您将无法使用的memberOf 属性，因为它只是没有设置时，搜索组成员在不同的森林您将用户添加到属于另一个林中的域本地组。

You won't be able to search for group members in a different forest by using the memberOf property because it's just not set when you add a user to a domain local group that belongs to another forest.

相反，AD创建类型的对象的 ForeignSecurityPrincipal 在具有目标用户的SID为 CN 组的域。然后在 DN 的该对象被添加到组的成员属性。

Instead, AD creates an object of type ForeignSecurityPrincipal in the domain of the group that has the target user's SID as its CN. Then the DN of that object gets added to the group's members property.

不幸的是，不同的用户对象， foreingSecurityPrincipal 对象从来没有得到的的memberOf 属性，所以你的搜索不会找到他们，即使你删除< STRONG>的objectType 的条件。

Unfortunately, unlike user objects, foreingSecurityPrincipal objects never get memberOf property, so your search won't find them even if you remove objectType condition.

所以，你真的应该扭转你的搜索，并列举了集团的成员属性所建议的rufanov。

So, you really should reverse your search and enumerate the group's members property as suggested by rufanov.

但你也应该延长code来处理这些外部安全主体。要检测您的的DirectoryEntry 再presents国外主要可以检查它的对象类包含的 foreignSecurityPricipal 的。如果是这样，在 CN 属性将包含，你可以使用搜索SID 的objectSID 属性

But you should also extend the code to handle those foreign security principals. To detect if your DirectoryEntry represents foreign principal you can check if its object class contains foreignSecurityPricipal. If it does, the CN property would contain the SID which you can use to search by objectSid property

if (de.Properties["objectClass"].Contains("foreignSecurityPrincipal"))
{
    // use this value in a search condition for objectSid
    var sidString = de.Properties["cn"].Cast<string>().First();

    IdentityReference id = new SecurityIdentifier(sid);

    var account = id.Translate(typeof(NTAccount)).ToString().Split('\\');

    var userName = account[1];
    var domainName = account[0];
}

这篇关于获得从域本地组所有成员在多林环境的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！