C#以其他用户身份访问Active Directory
[英]C# access Active Directory as another user
问题描述
I'd like to ask for your help with following issue. 
我想在以下问题上寻求您的帮助。 I am working on ad-hoc application, will be used only by me and just once. 我正在临时应用程序上工作,将仅由我使用一次。
Part of it is to perform password reset for over 3000 users in AD and send them new credentials. 其中一部分是在AD中为3000多个用户执行密码重置,然后向他们发送新的凭据。
I can read from AD as normal user, but I have to use privileged account to modify it. 我可以以普通用户的身份从AD读取,但是我必须使用特权帐户对其进行修改。 How can I do that? 我怎样才能做到这一点? I know, I can use PowerShell and have it done in a seconds, but I'd like to learn how to do it in C#. 我知道,我可以使用PowerShell并在几秒钟内完成它,但是我想学习如何在C#中做到这一点。
My code to search for user is simple 我搜索用户的代码很简单
public class ADSecurity
{
public static string getUserName(string sam)
{
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, sam);
return user.Name;
}
}
How can I do the same, but as different user? 我如何做,但是作为不同的用户呢?
I've seen some guides, but none of them explained az ... just advice on how to impersonate, but nothing about how to use it. 我看过一些指南,但是都没有解释az ...只是关于如何模仿的建议,而对于如何使用它却一无所知。 There was one article here about impersonation, but using LDAP protocol ( DirectoryEntry ). 这里有一篇有关模拟的文章,但使用的是LDAP协议( DirectoryEntry )。 But as I understand, it is really slow. 但是据我了解,这确实很慢。
Any advice appreciated. 任何建议表示赞赏。 I need to run it 2 days from now, so in worst case scenario I use PowerShell to do it. 我需要从现在开始2天运行它,因此在最坏的情况下,我使用PowerShell来执行它。
Thanks. 谢谢。
1 个解决方案
解决方案1
1 已采纳 2018-12-12 16:27:10
There are a few ways to do it: 有几种方法可以做到:
- Run your application under the needed credentials (Shift+right-click on the .exe file and use 'Run as a different user'). 在所需的凭据下运行应用程序(按住Shift并右键单击.exe文件,然后使用“以其他用户身份运行”)。 If you're just doing this once, this is the easiest. 如果您只做一次,这是最简单的。
- Use the
PrincipalContextconstructor that accepts a username and password.使用接受用户名和密码的PrincipalContext构造函数 。
public class ADSecurity
{
public static string getUserName(string sam)
{
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, null, username, password);
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, sam);
return user.Name;
}
}
- Use the
DirectoryEntryconstructor that accepts a username and password.使用接受用户名和密码的DirectoryEntry构造函数 。
I'm not sure which example you're talking about that's "slow", but in my experience, using DirectoryEntry directly is almost always faster, as long as you use it correctly. 我不确定您所谈论的示例是“缓慢的”,但是根据我的经验,只要正确使用DirectoryEntry ,几乎总是可以更快地使用它。 The System.DirectoryServices.AccountManagement namespace (what you are using in your example) uses DirectoryEntry behind the scenes anyway. 无论如何, System.DirectoryServices.AccountManagement命名空间(在示例中使用的名称空间)在后台使用DirectoryEntry 。
Of course, options 2 & 3 require you know the password. 当然,选项2和3要求您知道密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.