[英]C# ActiveDirectory - How do I add a local user account remotely from a domain-joined machine to a non-domain machine
[英]Principle.IsMemberOf exception for local user account when joined to Domain
我試圖確定給定的本地用戶帳戶是否在本地Administrators組中。 在系統加入域之前,一切正常。 當加入域時,會拋出一個異常,即找不到網絡路徑,但僅在查找本地非管理員帳戶時; 如果測試帳戶是本地Admin,則該方法返回正常。
這是代碼的示例:
string accountName = @"localAccountName";
string groupName = @"Administrators";
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Machine))
{
using (UserPrincipal accountPrinciple = new UserPrincipal(principalContext))
{
accountPrinciple.SamAccountName = accountName;
using (PrincipalSearcher accountSearcher = new PrincipalSearcher(accountPrinciple))
{
UserPrincipal account = (UserPrincipal)accountSearcher.FindOne();
if(account != null)
{
using (GroupPrincipal groupPrinciple = new GroupPrincipal(principalContext))
{
groupPrinciple.SamAccountName = groupName;
using (PrincipalSearcher groupSearcher = new PrincipalSearcher(groupPrinciple))
{
GroupPrincipal group = (GroupPrincipal)groupSearcher.FindOne();
if (account.IsMemberOf(group))
{
Console.WriteLine(@"{0} is part of the administrators group", accountName);
}
else
{
Console.WriteLine(@"{0} is not part of the administrators group", accountName);
}
}
}
}
else
{
Console.WriteLine(@"{0} is not found", accountName);
}
}
}
}
生成的堆棧是:
Unhandled Exception: System.Runtime.InteropServices.COMException: The network path was not found.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.SAMStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextForeign()
at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
at System.DirectoryServices.AccountManagement.PrincipalCollection.ContainsEnumTest(Principal principal)
at AdminGroupTest.Program.Main(String[] args)
我已經指定了機器上下文並嘗試使用重載來進一步指定本地機器。 我可以理解它是否是AD的權限問題,除了簡單地更改目標帳戶更改行為而不管執行帳戶,並查詢本地管理員帳戶(不是默認管理員)工作。 PrincipleSearcher找到了帳戶,但無法測試會員資格......必須有一些我忽略的東西。
默認情況下,將計算機加入域時,“Domain Admins”組將添加到本地“Administrators”組。
當您查詢Principal.IsMemberOf(GroupPrincipal)時,將枚舉GroupPrincipal.Members。
首先,檢查所有頂級組成員。 這包括本地用戶,這就是檢查本地管理員用戶時呼叫成功的原因。
如果未找到匹配項,則代碼將枚舉其他組,這些組是相關組的成員。 在這種情況下,Domain Admins。
為了枚舉Domain Admins的成員,需要進行活動目錄查找,但是您的執行用戶沒有執行域查詢的權限。
您可以簡單地向UserPrincipal詢問其組,而不是枚舉組以查找成員:
string accountName = @"localAccountName";
string groupName = @"Administrators";
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Machine))
{
using (UserPrincipal accountPrinciple = new UserPrincipal(principalContext))
{
accountPrinciple.SamAccountName = accountName;
using (PrincipalSearcher accountSearcher = new PrincipalSearcher(accountPrinciple))
{
UserPrincipal account = (UserPrincipal)accountSearcher.FindOne();
if (account != null)
{
foreach (var group in account.GetGroups())
{
if (group.SamAccountName == groupName && group.ContextType == ContextType.Machine)
{
Console.WriteLine(@"{0} is part of the administrators group", accountName);
return;
}
}
Console.WriteLine(@"{0} is not part of the administrators group", accountName);
}
else
{
Console.WriteLine(@"{0} is not found", accountName);
}
}
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.