[英]How can I determine if an AD group contains a given DirectoryEntry from another (trusted) domain?
I am trying to beef up my code that determines whether a user is a member of a given AD group. 我试图加强我的代码,以确定用户是否是给定AD组的成员。 It essentially works except when the member of the group happens to be from another (trusted) domain because it is stored as a foreignsecurityprincipal. 它基本上有效,除非该组成员恰好来自另一个(受信任)域,因为它存储为foreignsecurityprincipal。
Given that I have a valid DirectoryEntry object for both the Group I want to test, and the Account I want to check for, I need a DirectorySearcher Filter string that will allow me to confirm that the account is in that group, even if the account is a foreignsecurityprincipal. 鉴于我有一个有效的DirectoryEntry对象,我想要测试的组和我要检查的帐户,我需要一个DirectorySearcher过滤器字符串,这将允许我确认该帐户在该组中,即使该帐户是一个外国安全主体。
(VB.NET code Sample demonstrating the issue) (VB.NET代码示例演示了该问题)
Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User
DSearcher = New DirectorySearcher(ContainerGroup, "(WHATCANIPUTINHERE)", New String() {"member;Range=0-5000"}, SearchScope.Base)
DSearcher.AttributeScopeQuery = "member"
'If an object is found, the account was in the group
Return (DSearcher.FindOne() IsNot Nothing)
Okay. 好的。 Found it. 找到了。 Here's the trick. 这是诀窍。
I am trying to beef up my code that determines whether a user is a member of a given AD group. 我试图加强我的代码,以确定用户是否是给定AD组的成员。 It essentially works except when the member of the group happens to be from another (trusted) domain because it is stored as a foreignsecurityprincipal. 它基本上有效,除非该组成员恰好来自另一个(受信任)域,因为它存储为foreignsecurityprincipal。
(VB.NET code Sample) (VB.NET代码示例)
Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User
DSearcher = New DirectorySearcher
Dim DSearcher As New DirectorySearcher(ContainerGroup, getLDAPQueryStringUsingSID(containedGroup), New String() {"member;Range=0-5000"}, SearchScope.Base)
Return (DSearcher.FindOne() IsNot Nothing)
** Helper Methods **
Private Function getLDAPQueryStringUsingSID(ByVal DEObject As DirectoryEntry) As String
Return "(objectSid=" + getSDDLSidForDirectoryEntry(DEObject) + ")"
End Function
Private Function getSDDLSidForDirectoryEntry(ByVal DEObject As DirectoryEntry) As String
Dim bytes As Byte() = CType(DEObject.Properties("objectSid").Value, Byte())
Dim sid As New System.Security.Principal.SecurityIdentifier(bytes, 0)
Return sid.ToString
End Function
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.