[英]Want to look up an AD Group's SID without using samAccountName or DirectoryServices.AccountManagement
在C#中,有沒有一種方法可以在不使用DirectoryServices.AccountManagement庫或icky-ugly LDAP的情況下查找Active Directory組SID?
[Authorize]屬性和基礎WindowsPrincipal.IsInRole(string role)僅檢查AD中的samAccountName 。
這不僅是Microsoft建議檢查角色時避免使用的舊標識符,而且:
// It is also better from a performance standpoint than the overload that accepts a string.
// The aformentioned overloads remain in this class since we do not want to introduce a
// breaking change. However, this method should be used in all new applications and we should document this.
public virtual bool IsInRole (SecurityIdentifier sid) {}
但我也無法控制AD,也無法確保samAccountName與我們要求設置的“用戶友好”名稱保持同步。 這就是問題首先出現的原因,它傳遞了一個復數(Name)而不是一個單數(samAccountName)字符串...值不相同。
此外,samAccountName和SID可能會發生變化-例如,如果AD管理員刪除該帳戶並重新創建該帳戶,則SID肯定會有所不同,而samAccountName會是另一個人為錯誤的位置,但它們將始終恢復名稱/ UPN值按要求。
最終,我想編寫一個自己的干凈的Authorize屬性來檢查組成員身份,而不必對SAM或SID進行硬編碼。
我知道我可以使用DirectoryServices.AccountManagement做到這一點:
// get group principal
var pc = new PrincipalContext(ContextType.Domain, "domainName");
var gp = GroupPrincipal.FindByIdentity(pc, IdentityType.Name, "groupName");
// check if user is in group.
var up = UserPrincipal.Current;
var usersGroups = up.GetGroups();
var inGroup = usersGroups.Contains(gp);
我只是想知道是否有一種更簡單,更少依賴的非遺留方法來做到這一點,以使要編程的屬性盡可能地精簡。
我先前的相關問題: .Net 4.5中的Active Directory組成員身份檢查
您可以輕松完成此操作-設置域上下文,找到組,獲取Sid屬性-類似於以下內容:
// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
// find your group - by group name, group DN, SAM Account Name - whatever you like!
// This is **NOT** limited to just SAM AccountName!
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, groupSamAccountName);
if(group != null)
{
// this gives you the variable of type "SecurityIdentifier" to be used in your
// call to "IsInRole" ....
SecurityIdentifier groupSid = group.Sid;
string groupSidSDDL = groupSid.Value;
}
另外:我不理解您對使用samAccountName反感-這是每個組的強制性且唯一的屬性-因此,這將是唯一標識您的組的完美選擇!
您應該檢出System.DirectoryServices.AccountManagement (S.DS.AM)命名空間。 在這里閱讀所有內容:
新的S.DS.AM使得與AD中的用戶和組玩起來非常容易!
DirectoryServices.AccountManagement-組成員身份檢查效率
[英]DirectoryServices.AccountManagement - group membership checking efficiency
使用DirectoryServices.AccountManagement時內存泄漏
[英]Memory leaks when using DirectoryServices.AccountManagement
使用DirectoryServices.AccountManagement,如何獲取活動目錄安全組的電子郵件地址?
[英]Using DirectoryServices.AccountManagement, how do I get the e-mail address of an active directory security group?
使用DirectoryServices.AccountManagement從OU獲取組
[英]Get Groups From OU using DirectoryServices.AccountManagement
單聲道和Active Directory:DirectoryServices.AccountManagement異常
[英]Mono & Active Directory: DirectoryServices.AccountManagement exception
使用System.DirectoryServices.AccountManagement,將組設為主要組
[英]Using System.DirectoryServices.AccountManagement, Making a group the primary group
如何在AD中查找屬於組的用戶,並僅獲取其SAMAccountName和SID?
[英]How to find users in AD that belong to a group, and just get their SAMAccountName, and SID?
如何使用System.DirectoryServices.AccountManagement將用戶添加到AD?
[英]How do I add a user to AD using System.DirectoryServices.AccountManagement?
使用AccountManagement快速*將多個用戶添加到AD組
[英]Add multiple users to an AD group *quickly* using AccountManagement
如何使用C#的System.DirectoryServices.AccountManagement確定OU是否存在?
[英]How do I determine if an OU exists using C#'s System.DirectoryServices.AccountManagement?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.