[英]How can I determine if an AD group contains a given DirectoryEntry from another (trusted) domain?
我試圖加強我的代碼,以確定用戶是否是給定AD組的成員。 它基本上有效,除非該組成員恰好來自另一個(受信任)域,因為它存儲為foreignsecurityprincipal。
鑒於我有一個有效的DirectoryEntry對象,我想要測試的組和我要檢查的帳戶,我需要一個DirectorySearcher過濾器字符串,這將允許我確認該帳戶在該組中,即使該帳戶是一個外國安全主體。
(VB.NET代碼示例演示了該問題)
Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User
DSearcher = New DirectorySearcher(ContainerGroup, "(WHATCANIPUTINHERE)", New String() {"member;Range=0-5000"}, SearchScope.Base)
DSearcher.AttributeScopeQuery = "member"
'If an object is found, the account was in the group
Return (DSearcher.FindOne() IsNot Nothing)
好的。 找到了。 這是訣竅。
我試圖加強我的代碼,以確定用戶是否是給定AD組的成員。 它基本上有效,除非該組成員恰好來自另一個(受信任)域,因為它存儲為foreignsecurityprincipal。
(VB.NET代碼示例)
Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User
DSearcher = New DirectorySearcher
Dim DSearcher As New DirectorySearcher(ContainerGroup, getLDAPQueryStringUsingSID(containedGroup), New String() {"member;Range=0-5000"}, SearchScope.Base)
Return (DSearcher.FindOne() IsNot Nothing)
** Helper Methods **
Private Function getLDAPQueryStringUsingSID(ByVal DEObject As DirectoryEntry) As String
Return "(objectSid=" + getSDDLSidForDirectoryEntry(DEObject) + ")"
End Function
Private Function getSDDLSidForDirectoryEntry(ByVal DEObject As DirectoryEntry) As String
Dim bytes As Byte() = CType(DEObject.Properties("objectSid").Value, Byte())
Dim sid As New System.Security.Principal.SecurityIdentifier(bytes, 0)
Return sid.ToString
End Function
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.