本文介绍了用户/组在Active Directory权限的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在哪里可以找到,做了以下的例子吗?

Where can I find an example that does the following?

  1. 拉从Active Directory用户。
  2. 获取用户的成员组。
  3. 获取分配给每个组的权限列表。

这似乎是一个简单的任务,但我不能找到一个解决方案。

This seems like a simple task but I can't find a solution.

的总体目标是,以指定自定义权限,并利用它们在应用程序中控制权。

The overall goal is to assign custom permissions and use them to control rights within an application.

推荐答案

如果你在.NET 3.5及以上,你应该看看 System.DirectoryServices.AccountManagement (S.DS.AM)命名空间。阅读所有关于它的:

If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

  • Managing Directory Security Principals in the .NET Framework 3.5
  • MSDN docs on System.DirectoryServices.AccountManagement

基本上,你可以定义域范围内,并很容易地找到在AD用户和/或组:

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");

if(user != null)
{
   // do something here....
}

// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");

// if found....
if (group != null)
{
   // iterate over members
   foreach (Principal p in group.GetMembers())
   {
      Console.WriteLine("{0}: {1}", p.StructuralObjectClass, p.DisplayName);
      // do whatever you need to do to those members
   }
}

新S.DS.AM使得它可以很容易地玩弄用户和组AD!

The new S.DS.AM makes it really easy to play around with users and groups in AD!

最后一点:权限。这些并不存储在Active Directory中 - 因此,你不能检索来自任何AD code

The last point: permissions. Those aren't stored in Active Directory - and therefore, you can't retrieve those from any AD code.

权限存储在单个文件系统项,例如文件和/或目录 - 或其它对象(如注册表项,等等)。当你有一个AD组或用户帐户,你可以阅读它的SID(安全标识符)属性 - 即SID将在ACL的(访问控制列表),显示了所有通过Windows - 但是从用户或组,有没有一种机制来获取所有权限,它可能在本机/服务器的任何地方。

Permissions are stored on the individual file system items, e.g. files and/or directories - or other objects (like registry keys, etc.). When you have an AD group or user account, you can read it's SID (Security Identifier) property - that SID will show up in ACL's (Access Control Lists) all over Windows - but from the user or group, there's no mechanism to get all permissions it might have anywhere in the machine/server.

权限的文件和目录可以如使用上的的FileInfo 的DirectoryInfo .GetAccessControl()方法检索$ C>类:

Permissions for files and directories can e.g. be retrieved using the .GetAccessControl() method on the FileInfo and DirectoryInfo classes:

FileInfo info = new FileInfo(@"D:\test.txt");
FileSecurity fs = info.GetAccessControl();

DirectoryInfo dir = new DirectoryInfo(@"D:\test\");
DirectorySecurity ds = dir.GetAccessControl();

那些破译和决策意识是一个完全不同的故事干脆!

Deciphering and making sense of those is a whole different story altogether!

这篇关于用户/组在Active Directory权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-23 19:31