[英]How can I determine if an AD group contains a given DirectoryEntry from another (trusted) domain?
我试图加强我的代码,以确定用户是否是给定AD组的成员。 它基本上有效,除非该组成员恰好来自另一个(受信任)域,因为它存储为foreignsecurityprincipal。
鉴于我有一个有效的DirectoryEntry对象,我想要测试的组和我要检查的帐户,我需要一个DirectorySearcher过滤器字符串,这将允许我确认该帐户在该组中,即使该帐户是一个外国安全主体。
(VB.NET代码示例演示了该问题)
Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User
DSearcher = New DirectorySearcher(ContainerGroup, "(WHATCANIPUTINHERE)", New String() {"member;Range=0-5000"}, SearchScope.Base)
DSearcher.AttributeScopeQuery = "member"
'If an object is found, the account was in the group
Return (DSearcher.FindOne() IsNot Nothing)
好的。 找到了。 这是诀窍。
我试图加强我的代码,以确定用户是否是给定AD组的成员。 它基本上有效,除非该组成员恰好来自另一个(受信任)域,因为它存储为foreignsecurityprincipal。
(VB.NET代码示例)
Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User
DSearcher = New DirectorySearcher
Dim DSearcher As New DirectorySearcher(ContainerGroup, getLDAPQueryStringUsingSID(containedGroup), New String() {"member;Range=0-5000"}, SearchScope.Base)
Return (DSearcher.FindOne() IsNot Nothing)
** Helper Methods **
Private Function getLDAPQueryStringUsingSID(ByVal DEObject As DirectoryEntry) As String
Return "(objectSid=" + getSDDLSidForDirectoryEntry(DEObject) + ")"
End Function
Private Function getSDDLSidForDirectoryEntry(ByVal DEObject As DirectoryEntry) As String
Dim bytes As Byte() = CType(DEObject.Properties("objectSid").Value, Byte())
Dim sid As New System.Security.Principal.SecurityIdentifier(bytes, 0)
Return sid.ToString
End Function
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.