让用户从Active Directory的列表中的指定广告组 [英] Get List of Users From Active Directory In A Given AD Group
问题描述
我有code表示搜索所有的用户在一个部门:
I have code that searches for all users in a department:
string Department = "Billing";
DirectorySearcher LdapSearcher = new DirectorySearcher();
LdapSearcher.PropertiesToLoad.Add("displayName");
LdapSearcher.PropertiesToLoad.Add("cn");
LdapSearcher.PropertiesToLoad.Add("department");
LdapSearcher.PropertiesToLoad.Add("title");
LdapSearcher.PropertiesToLoad.Add("memberOf");
LdapSearcher.Filter = string.Format("(&(objectClass=user)(department={0}))", Department);
SearchResultCollection src = LdapSearcher.FindAll();
什么过滤器需要的样子,如果我只是想大家在只有经理阅读AD组?
What would the filter need to look like if I only wanted everyone in the "Manager Read Only" AD Group?
我要对这个都错了?
推荐答案
看着你搜索我有几个点的为您服务。首先,搜索使用对象类(非索引),而不是objectCategory属性(索引)。巨大的性能问题与查询。你最总是希望将二者结合起来一起取决于你正在努力找回什么:
Looking at your search I have a couple of points for you. First, the search uses objectClass (non-indexed) instead of objectCategory (indexed). Huge performance issue with that query. You would most always want to combine the two together depending on what you are trying to retrieve:
(&(objectCategory=person)(objectClass=user)) = All users (no contacts)
(&(objectCategory=person)(objectClass=contact)) = All contacts (no users)
(&(objectCategory=person)) = All users and contacts
作为用于查找的用户在一组可以枚举特定组的成员的对象的列表。在该组对象的成员属性是每个用户的的distinguishedName。
As for looking up the users in a group you can enumerate the list of member objects of the specific group. In the member attribute of the group object is the distinguishedName of each user.
不要忘记,你可能需要处理父组的嵌套组,因为没有一个默认的方式来处理这与LDAP查询。对于您可能需要评估,如果该成员对象是一个组,然后获取该子组的成员属性。
Don't forget that you may have to handle nested groups of the parent group, as there isn't a default way to handle this with LDAP queries. For that you may need to evaluate if the member object is a group and then get the member attribute for that child group.
最后,你应该在指定的DNS preFIX您查询的习惯。
Lastly, you should get in the habit of specifying a dns prefix to your query.
没有DNS preFIX:
Without DNS prefix:
LDAP://ou=ouname,dc=domain,dc=com
使用DNS preFIX(所有三个工作):
With DNS prefix (all three work):
LDAP://servername/ou=ouname,dc=domain,dc=com
LDAP://servername.domain.com/ou=ouname,dc=domain,dc=com
LDAP://domain.com/ou=ouname,dc=domain,dc=com
一个单个域不会引起你太大的问题,但是当您尝试运行在多域环境中的搜索,你会得到没有这个此外咬伤。希望这有助于靠拢你自己的目标。
A single domain won't cause you much issue but when you try and run a search in a multiple domain environment you will get bitten without this addition. Hope this helps move you closer to your goal.
这篇关于让用户从Active Directory的列表中的指定广告组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
