堆栈内存溢出
  简体   繁体   English

如何确定AD组是否包含来自另一个(受信任)域的给定DirectoryEntry?

[英]How can I determine if an AD group contains a given DirectoryEntry from another (trusted) domain?

 原文  2008-12-16 17:02:21       .net/ active-directory/ ldap/ adsi

问题描述

I am trying to beef up my code that determines whether a user is a member of a given AD group. 我试图加强我的代码,以确定用户是否是给定AD组的成员。 It essentially works except when the member of the group happens to be from another (trusted) domain because it is stored as a foreignsecurityprincipal. 它基本上有效,除非该组成员恰好来自另一个(受信任)域,因为它存储为foreignsecurityprincipal。

Given that I have a valid DirectoryEntry object for both the Group I want to test, and the Account I want to check for, I need a DirectorySearcher Filter string that will allow me to confirm that the account is in that group, even if the account is a foreignsecurityprincipal. 鉴于我有一个有效的DirectoryEntry对象,我想要测试的组和我要检查的帐户,我需要一个DirectorySearcher过滤器字符串,这将允许我确认该帐户在该组中,即使该帐户是一个外国安全主体。

(VB.NET code Sample demonstrating the issue) (VB.NET代码示例演示了该问题) 

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher(ContainerGroup, "(WHATCANIPUTINHERE)", New String() {"member;Range=0-5000"}, SearchScope.Base)
DSearcher.AttributeScopeQuery = "member"

'If an object is found, the account was in the group
Return (DSearcher.FindOne() IsNot Nothing)

1 个解决方案

解决方案1
 1 已采纳  2008-12-16 23:18:24

Okay. 好的。 Found it. 找到了。 Here's the trick. 这是诀窍。

I am trying to beef up my code that determines whether a user is a member of a given AD group. 我试图加强我的代码,以确定用户是否是给定AD组的成员。 It essentially works except when the member of the group happens to be from another (trusted) domain because it is stored as a foreignsecurityprincipal. 它基本上有效,除非该组成员恰好来自另一个(受信任)域,因为它存储为foreignsecurityprincipal。

(VB.NET code Sample) (VB.NET代码示例) 

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher
Dim DSearcher As New DirectorySearcher(ContainerGroup, getLDAPQueryStringUsingSID(containedGroup), New String() {"member;Range=0-5000"}, SearchScope.Base)

Return (DSearcher.FindOne() IsNot Nothing) 


** Helper Methods **

Private Function getLDAPQueryStringUsingSID(ByVal DEObject As DirectoryEntry) As String            
  Return "(objectSid=" + getSDDLSidForDirectoryEntry(DEObject) + ")"
End Function

Private Function getSDDLSidForDirectoryEntry(ByVal DEObject As DirectoryEntry) As String
      Dim bytes As Byte() = CType(DEObject.Properties("objectSid").Value, Byte())
      Dim sid As New System.Security.Principal.SecurityIdentifier(bytes, 0)
      Return sid.ToString
End Function

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何从 AD DirectoryEntry 获取 DOMAIN\\USER? - How can I get DOMAIN\USER from an AD DirectoryEntry? 如何查询一个域的用户是否是另一个 AD 域中的组的成员? - How can I query if a user of one domain is a member of a group in another AD domain? 如何从DirectoryEntry和DN中检索DirectoryEntry - How to retrieve DirectoryEntry from a DirectoryEntry and a DN 如何知道 DirectoryEntry 是用户还是组? - How to know if DirectoryEntry is a user or a group? 如何确定域上给定计算机的管理员用户? - How to determine the admin users of a given machine on domain? 如何从部分受信任的 .NET 应用程序中 flash 任务栏? - How can I flash the taskbar from a partial trusted .NET application? 使用DirectoryEntry无法获得AD属性(LAPS属性) - Can't get AD Attribute using DirectoryEntry (LAPS Attribute) 如何将字符串从一个项目的应用程序域传递到另一个项目的应用程序域 - How can i communicate a string from app domain of one project to app domain of another 给定一个窗口,如何确定它是否属于winforms应用程序? - Given a window, how can I determine if it is part of a winforms application? 如何确定给定磁盘的SATA通道? - How can I determine the SATA channel for a given disk?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM