问题描述
我有一系列的都使用相同的C#,我已经创建了检查,看看如果用户是Active Directory组的成员。NET 2.0 code应用程序。
我没有任何问题与我的code,直到最近,当我添加来自其他用户,受信任的AD域,以我的广告集团之一。我的问题是我怎么可以检查,如果用户是Active Directory组的成员,不论其域名。换言之,它们可以是或可以不是在相同的域中我的组。下面是我写和使用多年搜索看看,如果用户是在Active Directory组中的code。我不知道,我改编这个code,但我认为它来自一个MSDN文章。此外,该解决方案必须是在.NET 2.0框架。我发现相当多的答案,可以在.NET 3.5中工作这个问题。不幸的是,这会不会对我的情况下工作。
//此方法需要用户名和AD组(角色)的名称。
//此方法的当前实现不包含用户的域
//输入帐号,因为它来自Environment.UserName财产。
私有静态布尔IsInRole(用户名字符串,字符串的作用)
{
尝试
{
角色= role.ToLowerInvariant();
DirectorySearcher从DS =新DirectorySearcher从(新的DirectoryEntry(空));
ds.Filter =SAM帐户=+用户名;
信息搜索结果SR = ds.FindOne();
的DirectoryEntry德= sr.GetDirectoryEntry();
PropertyValueCollection DIR = de.Properties [成员];
的for(int i = 0; I< dir.Count ++ I)
{
字符串s = DIR [I]的ToString()子串(3)。
S = s.Substring(0,s.IndexOf(,))ToLowerInvariant()。
如果(S ==作用)
返回true;
}
抛出新的异常();
}
抓住
{
返回false;
}
}
这是不是你在等待答案,但我希望它能帮助。
第一;你想你code是工作在一个域名,但我看不出它需要在用户的主要组的'照顾。如果选择一组为用户主要组的',这组成员属性不再一部分。
二;在我的理解,这是一种(我希望不是唯一的一个,但我'还在寻找)看看,如果用户是present在一组是 recusively 的'看用户DN在成员的'属性'的集团的'对象。所以,你的情况,你可能会问你的域和其他域。你可以这样做,这样做每个域一个搜索。下面是这样的一个样本的递归一个滑槽搜索的使用控制:
/ *连接到Active Directory
* /
字符串sFromWhere =LDAP:// WIN-计算机:389 /;
的DirectoryEntry贬低=新的DirectoryEntry(sFromWhere,DOM \\用户,密码);
/ *找到所有的团体USER1是的成员:
*设置基地到组容器DN;比如根DN(DC = DOM,DC = FR)
*设置范围为子树
*请使用以下过滤器:
*(成员:1.2.840.113556.1.4.1941:= CN =用户1,CN =用户,DC = X)
* /
DirectorySearcher从dsLookFor =新DirectorySearcher从(贬低);
dsLookFor.Filter =(成员:1.2.840.113556.1.4.1941:= CN = user1的用户,OU = MonOu,DC = DOM,DC = FR);
dsLookFor.SearchScope = SearchScope.Subtree;
dsLookFor.PropertiesToLoad.Add(CN);
SearchResultCollection srcGroups = dsLookFor.FindAll();
注:你可以用一个更准确的过滤器可排除通讯组例如:
。编辑(回答评论提问):
第一:是证书需要的?我会说不,如果该请求是由属于域或批准的域中的计算机上进行。
第二和第三:是的过滤器中的。我写这个过滤器的方法是从样品中扣除。
I have a series of applications that all use the same C#, .Net 2.0 code that I've created to check and see if a user is a member of an Active Directory group.
I haven't had any trouble with my code until recently, when I added a user from another, trusted AD domain to one of my AD groups. My question is how can I check to see if a user is a member of an Active Directory group, regardless of their domain. In other words, they may or may not be in the same domain as my group. Below is the code that I have written and used for years to search to see if the user is in an Active Directory group. I'm not sure where I adapted this code from but I'd assume it came from an MSDN article. Also, the solution must be for the .Net 2.0 framework. I have found quite a few answers that may work for this problem in .Net 3.5. Unfortunately, that won't work for my scenario.
//This method takes a user name and the name of an AD Group (role).
//Current implementations of this method do not contain the user's domain
//with userName, because it comes from the Environment.UserName property.
private static bool IsInRole(string userName, string role)
{
try
{
role = role.ToLowerInvariant();
DirectorySearcher ds = new DirectorySearcher(new DirectoryEntry(null));
ds.Filter = "samaccountname=" + userName;
SearchResult sr = ds.FindOne();
DirectoryEntry de = sr.GetDirectoryEntry();
PropertyValueCollection dir = de.Properties["memberOf"];
for (int i = 0; i < dir.Count; ++i)
{
string s = dir[i].ToString().Substring(3);
s = s.Substring(0, s.IndexOf(',')).ToLowerInvariant();
if (s == role)
return true;
}
throw new Exception();
}
catch
{
return false;
}
}
This is not the answer you are waiting for, but I hope it can help.
First ; You suppose you code is working in a domain, but I don't see where it takes care of the user 'principal group'. If you select a group as the 'user principal group', this group is no longer part of the member attribute.
Second ; In my understanding, a way (I hope not the only one, but I'am still looking for) to see, if a user, is present in a group is to 'recusively' look for the user DN in the 'member' attribute of 'group' objects. So, in your case, you may ask your domain and the other domain. You can do that doing ONE search per domain. Here is a sample of such a 'recursive one shoot search' using control :
/* Connection to Active Directory
*/
string sFromWhere = "LDAP://WIN-COMPUTER:389/";
DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom\\user", "password");
/* To find all the groups that "user1" is a member of :
* Set the base to the groups container DN; for example root DN (dc=dom,dc=fr)
* Set the scope to subtree
* Use the following filter :
* (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)
*/
DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
dsLookFor.Filter = "(member:1.2.840.113556.1.4.1941:=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)";
dsLookFor.SearchScope = SearchScope.Subtree;
dsLookFor.PropertiesToLoad.Add("cn");
SearchResultCollection srcGroups = dsLookFor.FindAll();
Remark : you can use a more accurate filter to exclude distribution groups for example.
Edited (to answer comments questions) :
First : Are the credentials needed ? I would say no if the request is done from a computer that belongs to the domain or the approved domain.
Second and third : Yes filters are documented by Microsoft in AD Search Filter Syntax. The way I wrote this filter is a deduction from the samples.
这篇关于我怎样才能查询,如果一个域的用户是一组中的另一AD域的成员?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!