DirectoryEntry.Invoke（＆QUOT;组＆QUOT;，空）不是检索所有组？ [英] DirectoryEntry.Invoke("groups",null) not retrieving all groups?

问题描述

我创建了一个WCF Web服务从Active Directory返回用户和组信息。它适用于大多数组和用户。

I created a WCF web service to return user and group information from Active Directory. It works for most groups and users.

我用directoryEntry.Invoke（集团，NULL）返回指定的用户是成员的组。这将返回大多数集团。奇怪的是我能找到的任何组和枚举它的成员，即使是集团当我使用调用查询其成员一人失踪之一。

I use directoryEntry.Invoke("groups",null) to return the groups a specified user is member of. This returns MOST groups. The odd thing is I can find any group and enumerate its members, even if it is one of the groups missing when I use the invoke query on one of its members.

大多数表现出此行为的群体是交换功能。大部分有问题的用户帐户是为用户在联合域中，谁使用，我查询域的Exchange服务器。我不是要在联合域查询对象。

Most of the groups that exhibit this behavior are Exchange-enabled. Most of the problematic user accounts are for users in a federated domain, who use an Exchange server in the domain that I query. I am not trying to query objects in the federated domain.

我的理论至今：

• 某些安全限制不允许通过调用枚举所有组（），即使我可以查询失踪组和枚举它们的成员。

• some security restriction does not allow enumerating all groups via invoke() even though I can query missing groups and enumerate their members.

调用与群体的某个子集的问题。也许是通用的，动态的，或Exchange功能性在作怪

invoke has issues with some subset of groups. Perhaps universal, dynamic, or Exchange-enabled properties are at play

invoke方法不拿起所有的组，因为联邦帐户（创建作为其外汇帐户设置的一部分）比超出了SID映射回其登录域的常规域帐户有些不同。

the invoke method does not pick up all groups because the "federated" accounts (created as part of their Exchange account setup) are somehow different than regular domain accounts beyond the sid mapping back to their login domain.

推荐答案

有两个已知的问题，使用上一个DirectoryEntry的组属性：

There are two known issues with using the "Groups" property on a DirectoryEntry:

• 在它不会告诉你的默认组用户在（通常为用户）
• 在它不会告诉你嵌套组成员

因此​​，如果一个用户是A组的成员，并且该组然后又是B组的成员，那么在Windows中，这意味着用户也是B组的成员然而，的DirectoryEntry不会告诉你该嵌套组成员。

So if a user is member of a group A, and that group then in turn is member of Group B, then in Windows, this means that the user is also member of Group B. However, the DirectoryEntry will not show you that nested group membership.

这些都是我所知道的直活动目录两者唯一的限制（没有Exchange）。

Those are the two only restrictions I know of for straight Active Directory (without Exchange).

获取默认组是有点麻烦，但我有一个code样本。

Getting the default group is a bit involved, but I do have a code sample for that.

private string GetPrimaryGroup(DirectoryEntry aEntry, DirectoryEntry aDomainEntry)
{
   int primaryGroupID = (int)aEntry.Properties["primaryGroupID"].Value;
   byte[] objectSid = (byte[])aEntry.Properties["objectSid"].Value;

   StringBuilder escapedGroupSid = new StringBuilder();

   // Copy over everything but the last four bytes(sub-authority)
   // Doing so gives us the RID of the domain
   for(uint i = 0; i < objectSid.Length - 4; i++)
   {
        escapedGroupSid.AppendFormat("\\{0:x2}", objectSid[i]);
   }

   //Add the primaryGroupID to the escape string to build the SID of the primaryGroup
   for(uint i = 0; i < 4; i++)
   {
       escapedGroupSid.AppendFormat("\\{0:x2}", (primaryGroupID & 0xFF));
       primaryGroupID >>= 8;
   }

   //Search the directory for a group with this SID
   DirectorySearcher searcher = new DirectorySearcher();
   if(aDomainEntry != null)
   {
      searcher.SearchRoot = aDomainEntry;
   }

   searcher.Filter = "(&(objectCategory=Group)(objectSID=" + escapedGroupSid.ToString() + "))";
   searcher.PropertiesToLoad.Add("distinguishedName");

   return searcher.FindOne().Properties["distinguishedName"][0].ToString();
}

获取嵌套组也需要几个步骤，我会去寻找一个解决方案，那一个，如果是这样的问题。

Getting the nested groups also takes a few steps and I'll have to hunt for a solution to that one, if that's the problem.

马克·

PS：作为一个方面说明 - 是为什么地球上，你做一个DirectoryEntry.Invoke（集团，空）电话吗？你为什么不只是列举了DirectoryEntry.Properties [成员]属性，该属性是多值（包含多个值），并拥有该组的DN（专有名称）的呢？

PS: as a side note - why on earth are you doing a "DirectoryEntry.Invoke("groups", null)" call? Why don't you just enumerate the DirectoryEntry.Properties["memberOf"] property which is multi-valued (contains multiple values) and has the group's DN (distinguished name) in it?

foreach(string groupDN in myUser.Properties["memberOf"])
{
  string groupName = groupDN;
}

或者如果你在.NET 3.5中，你可以使用新的安全主体班S.DS.AccountManagement。其中之一是UserPrincipal，其中有一个叫GetAuthorizationGroups（）方法，它为你做这一切的辛勤工作！ - 免费的，基本上

OR if you're on .NET 3.5, you can make use of the new Security Principal classes in S.DS.AccountManagement. One of them is a "UserPrincipal", which has a method called "GetAuthorizationGroups()" which does all this hard work for you - for free, basically!

见一个很好的 MSDN文章描述这些新的.NET 3.5 S.DS功能你。

See an excellent MSDN article that describes these new .NET 3.5 S.DS features for you.

这篇关于DirectoryEntry.Invoke（＆QUOT;组＆QUOT;，空）不是检索所有组？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！