与TFS 2015的互动（内部部署）

Question

I am creating an export file with all TFS projects, users and their associated TFS Groups for a specific TFS Collection. 我正在创建一个导出文件，其中包含特定TFS集合的所有TFS项目，用户及其关联的TFS组。 (using ITeamProjectCollectionService, IIdentityManagementService) （使用ITeamProjectCollectionService，IIdentityManagementService）

I noticed I receive also the disabled AD-users. 我注意到我也收到了残疾的AD用户。 How can I filter the disabled AD-users out of this list? 如何从此列表中筛选出已禁用的AD用户？ I have no direct access to the AD-environment. 我无法直接访问AD环境。 The Microsoft.TeamFoundation.Server.Identity does not contain this property. Microsoft.TeamFoundation.Server.Identity不包含此属性。

        Uri configurationServerUri = new Uri(environmentConfig.Uri);
        TfsConfigurationServer configurationServer = TfsConfigurationServerFactory.GetConfigurationServer(configurationServerUri);
        var tpcService = configurationServer.GetService<ITeamProjectCollectionService>();
        foreach (TeamProjectCollection tpc in tpcService.GetCollections())
        {
            var tfsProjectCollection = new TfsTeamProjectCollection(new Uri(environmentConfig.Uri + "/" + tpc.Name), environmentCredential);

            var vcs = tfsProjectCollection.GetService<VersionControlServer>();
            var sec = tfsProjectCollection.GetService<IGroupSecurityService>();

            var teamProjects = vcs.GetAllTeamProjects(false);
            foreach (var teamProject in teamProjects)
            {
                var appGroups = sec.ListApplicationGroups(teamProject.ArtifactUri.AbsoluteUri);

                foreach (var group in appGroups)
                {
                    Identity[] groupMembers = sec.ReadIdentities(SearchFactor.Sid, new string[] { group.Sid }, QueryMembership.Expanded);
                    foreach (Identity member in groupMembers)
                    {
                        if (member.Members != null)
                        {
                            foreach (string memberSid in member.Members)
                            {
                                Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, memberSid, QueryMembership.Expanded);
                                if (memberInfo.Type != IdentityType.WindowsUser)
                                    continue;

                                result.Add(new TfsPermission { Collection = tfsProjectCollection.Name, TeamProject = teamProject.Name,
                                    User = memberInfo.AccountName, Domain = memberInfo.Domain, Group = group.DisplayName });
                            }
                        }
                    }
                }
            }
        }

Best regards, Jens 此致，Jens

Answer 1

You could use memberInfo.Domain == "DomainName" to judge if this account is an AD account. 您可以使用memberInfo.Domain == "DomainName"来判断此帐户是否为AD帐户。 Usually, if an identity is an windows account that added in TFS, it memberInfo.Domain property equals a server name not the domain name. 通常，如果标识是在TFS中添加的Windows帐户，则memberInfo.Domain属性等于服务器名称而不是域名。

foreach (string memberSid in member.Members)
{
      Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, memberSid, QueryMembership.Expanded);
      if (memberInfo.Type == IdentityType.WindowsUser && memberInfo.Domain == "DomainName")
      {
                                result.Add(new TfsPermission
                                {
                                    Collection = tfsProjectCollection.Name,
                                    TeamProject = teamProject.Name,
                                    User = memberInfo.AccountName,
                                    Domain = memberInfo.Domain,
                                    Group = group.DisplayName
                                });
       }
}

Then to check if those account is disabled in AD, like Starain said, using TFS API couldn't do that. 然后检查这些帐户是否在AD中被禁用，就像Starain说的那样，使用TFS API无法做到这一点。 But you could use this method below could help you check each account you get above if it is disable in AD: find if user account is enabled or disabled in AD 但是，您可以使用下面的此方法可以帮助您检查上面获得的每个帐户（如果在AD中禁用）：查找是否在AD中启用或禁用了用户帐户

const string accountName = "name"; // The accountName of AD user
var principalContext = new PrincipalContext(ContextType.Domain, "domainNameHere", "AdminUser", "AdminPass");
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, accountName);

if (userPrincipal != null)
{
    var dirEntry = userPrincipal.GetUnderlyingObject() as DirectoryEntry;
    var status = IsAccountDisabled(dirEntry);

}

//Jugde if it is disabled in AD
public static bool IsAccountDisabled(DirectoryEntry user)
{
        const string uac = "userAccountControl";
        if (user.NativeGuid == null) return false;

        if (user.Properties[uac] != null && user.Properties[uac].Value != null)
        {
            var userFlags = (UserFlags)user.Properties[uac].Value;
            return userFlags.Contains(UserFlags.AccountDisabled);
        }

        return false;
}

However, the memberInfo.Type could only distinguish the Identity is an user account or a TFS group. 但是， memberInfo.Type只能区分Identity是用户帐户还是TFS组。 As we all know, when you set the permissions of someone, you will choose to add an account or a TFS group. 众所周知，当您设置某人的权限时，您将选择添加帐户或TFS组。

与TFS 2015的互动（内部部署）

问题描述

1 个解决方案

解决方案1
0 已采纳 2017-03-10 06:54:01

与TFS 2015的互动（内部部署）

问题描述

1 个解决方案

解决方案1 0 已采纳 2017-03-10 06:54:01

解决方案1
0 已采纳 2017-03-10 06:54:01