使用SharePoint API AD域组成员获取 [英] Getting members of an AD domain group using Sharepoint API

问题描述

在我的SharePoint的代码，我通过显示所有已定义用户的列表：

In my Sharepoint code I display a list of all defined users via:

foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
    ...
}

伟大的部分是，我可以在一个域安全组添加到SharePoint组（如访客）从而增加了许多用户一次（简化管理）。但是，我的代码没有看到这些用户至少不会直到他们登录的第一次（如果他们有足够的权限）。在这种情况下，我只能看到域安全组 SPUser 对象实例与 IsDomainGroup 设置为真正。

The great part is, I can add a domain security group to a Sharepoint group (like Visitors) thus adding many users at once (simpler administration). But my code doesn't see those users at least not until they log-in for the first time (if they have sufficient rights). In this case I can only see the domain security group SPUser object instance with its IsDomainGroup set to true.

是否有可能由SharePoint 而不诉诸到Active Directory查询（这是我宁愿避免，因为你可能需要足够的权限做这样的操作=更多的管理：Sharepoint的权利+ AD权限）。

Is it possible to get domain group members by means of Sharepoint without resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations = more administration: Sharepoint rights + AD rights).

推荐答案

您可以使用方法 SPUtility.GetPrincipalsInGroup （ MSDN ）。

所有的参数都是自我解释，除了字符串输入，这是安全组的NT帐户名：

All parameters are self-explaining except string input, which is the NT account name of the security group:

bool reachedMaxCount;
SPWeb web = SPContext.Current.Web;
int limit = 100;
string group = "Domain\\SecurityGroup";
SPPrincipalInfo[] users = SPUtility.GetPrincipalsInGroup(web, group, limit, out reachedMaxCount);

请注意，这种方法并不能解决嵌套安全组。进一步执行用户需要拥有当前Web浏览上的用户信息的权限（ SPBasePermissions.BrowseUserInfo ）。

Please note that this method does not resolve nested security groups. Further the executing user is required to have browse user info permission (SPBasePermissions.BrowseUserInfo) on the current web.

更新：

private void ResolveGroup(SPWeb w, string name, List<string> users)
{
    foreach (SPPrincipalInfo i in SPUtility.GetPrincipalsInGroup(w, name, 100, out b))
    {
        if (i.PrincipalType == SPPrincipalType.SecurityGroup)
        {
          ResolveGroup(w, i.LoginName, users);
        }
        else
        {
          users.Add(i.LoginName);
        }
    }
}

List<string> users = new List<string>();
foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
  if (user.IsDomainGroup)
    {
      ResolveGroup(SPContext.Current.Web, user.LoginName, users);
    }
    else
    {
      users.Add(user.LoginName);
    }
}

编辑：

[...]诉诸到Active Directory查询（这是一件好事，我宁愿避免，因为你可能需要足够的权限才能执行这样的操作[。 ..]

[...] resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations [...]

这是真的，当然，但的SharePoint有来查找AD也是如此。这就是为什么一个应用程序池服务帐户有读取访问指令要求。
换句话说，你应该是安全的执行对AD的查询，如果你运行你的代码收归进程帐户。

That's true, of course, but SharePoint has to lookup the AD as well. That's why a application pool service account is required to have read access to the AD. In other words, you should be safe executing queries against the AD if you run your code reverted to the process account.

这篇关于使用SharePoint API AD域组成员获取的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！