问题描述
这是更多的是好奇比请求帮助,但我注意到,使用的PrincipalPermission和验证用户是在Active Directory中,将不使用真正的组名特定组的一部分,而是时验证对pre-Windows 2000的组名代替。按说这不会有所作为 - 除非有人发生,使这些值不同。
This is more of a curiosity than a request for help, but I noticed that when using PrincipalPermission and verifying a user is part of a specific group in Active Directory it will not use the true group name but instead validates against the pre-Windows 2000 group name instead. Ordinarily this wouldn't make a difference - unless someone happens to make these values different.
谁能想到,为什么.NET API将使用该组的名称,而不是真实的名字?这引起了我的悲伤,有点盲目运气小时,终于弄清楚这一切。
Can anyone think of why the .Net API would use that group name instead of the "true" name? This caused me hours of grief and a bit of blind luck to finally figure it all out.
推荐答案
我会承担(不经测试,并尝试此我自己)的的PrincipalPermission属性将使用sAMAccountName赋在Active Directory用户和组的名称(如用户或JOHNDOE),而不是专有名称(DN),你可能会想到(CN =用户,CN =李四)。
I would assume (without having tested and tried this myself) that the PrincipalPermission attribute will use the "sAMAccountName" in Active Directory for user and group names (e.g. "Users" or "JohnDoe") instead of the "distinguished name" (DN) you might expect ("CN=Users", "CN=John Doe").
这样做的原因很可能是,你正在处理,例如场景一个独立的服务器,或者NT4域。在这种情况下,你根本就没有任何广告为基础的专有名称 - 但你确实有SAM帐户名称
The reasoning behind this will most likely be the scenario where you're working on e.g. a stand-alone server, or a NT4 domain. In those cases, you simply don't have any AD-based distinguished names - but you do have the SAM account names.
因此,在某种意义上,这威力似乎有点令人吃惊,在第一 - 但它有一定道理在我使用这些SAM帐户名(pre-AD名)的意见 - 你不同意
So in a sense this might seems a bit surprising at first - but it does make sense in my opinion to use those SAM account names (pre-AD names) - don't you agree?
马克·
这篇关于Active Directory和的PrincipalPermission的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!