列出活动目录域和子域中的用户
[英]List users in active directory domain AND subdomain
问题描述
We have an AD with users in "mydomain.com" and users in "child.mydomain.com". 
我们有一个AD,其中“ mydomain.com”中的用户和“ child.mydomain.com”中的用户。 When We try to list them, we can only find the "mydomain.com"'s users and groups, but we also need those from the child domain. 当我们尝试列出它们时,我们只能找到“ mydomain.com”的用户和组,但是我们也需要子域中的用户和组。 How can I achieve this using C# ? 如何使用C#实现呢? Please take a look to my sample code : 请看一下我的示例代码:
context = new PrincipalContext(ContextType.Domain);
//...
var filter = new GroupPrincipal(context);
filter.IsSecurityGroup = true;
using(var searcher = new PrincipalSearcher(filter)
using(var results = searcher.FindAll())
{
foreach(GroupPrincipal group in results)
{
string path = "LDAP://rootDSE";
DirectoryEntry searchRoot = new DirectoryEntry(path);
string configNC = searchRoot.Properties["configurationNamingContext"].Value.ToString();
DirectoryEntry configSearchRoot = new DirectoryEntry("LDAP://" + configNC);
DirectorySearcher configSearch = new DirectorySearcher(configSearchRoot);
configSearch.Filter("(NETBIOSName=*)");
configSearch.PropertiesToLoad.Add("dnsroot");
configSearch.PropertiesToLoad.Add("ncname");
configSearch.PropertiesToLoad.Add("NETBIOSName");
SearchResultCollection forestPartitionList = configSearch.FindAll();
List<Tuple<string,string>> netbiosNameList = new List<Tuple<string,string>>(forestPartitionList.Count);
foreach(SearchResult domainPartition in forestPartitionList)
{
string ncname = domainPartition.Properties["ncname"][0].ToString();
string netBIOSName = domainPartition.Properties["NETBIOSName"][0].ToString();
netbiosNameList.Add(Tuple.Create(ncname, netBIOSName));
}
//...
//Find group members
using (var principal = GroupPrincipal.FindByIdentity(context, IdentityType.DistinguishedName, group.DistinguishedName))
using (var members = principal.GetMembers(true))
using (var enumerator = members.GetEnumerator())
{
//...
}
}
}
The code is not exactly written this way, I just want to show you the main calls that are made to query the AD. 代码不是完全以这种方式编写的,我只想向您展示查询AD的主要调用。 We can list the parent domain groups and users but not the child domain ones. 我们可以列出父域组和用户,但不能列出子域组。 If I change the initialization of my "context" variable passing the child domain IP and user/password, I can list the groups and users in it. 如果更改通过子域IP和用户/密码的“上下文”变量的初始化,则可以列出其中的组和用户。 But we want to be able to do so while being in the parent domain. 但是我们希望能够在父域中做到这一点。
I hope you can help me. 我希望你能帮助我。 Thanks a lot! 非常感谢!
1 个解决方案
解决方案1
1 2013-08-21 21:30:01
You can query the global catalog . 您可以查询全局目录 。
It contains a read-only, searchable, partial representation of every object in every domain in a multidomain Active Directory forest. 它包含多域Active Directory林中每个域中每个对象的只读,可搜索的部分表示。
The GC operates on port 3268 ( standard ldap ) and 3269 ( SSL ldap ). GC在端口3268(标准ldap)和3269(SSL ldap)上运行。 Simply connect to any of your domain controllers on one of the above two ports and your search will be automatically directed to the GC server. 只需通过上述两个端口之一连接到您的任何域控制器,您的搜索将自动定向到GC服务器。
To perform any modifications, though, you will have to send such request to a domain controller for that particular domain the object belongs to. 但是,要执行任何修改,您必须将此类请求发送到对象所属的特定域的域控制器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.