Windows / Active Directory - 用户/组

发布于 2024-07-04 11:10:09 字数 280 浏览 11 评论 0原文

我正在寻找一种方法来查找与特定组关联的 Windows 登录名。 我正在尝试向仅允许名称格式如下的工具添加权限:

DOMAIN\USER 
DOMAIN\GROUP

我有一个需要添加的活动目录格式的用户列表:

ou=group1;ou=group2;ou=group3

我已尝试添加 DOMAIN\Group1,但我收到“找不到用户”错误。

PS 还应该注意的是,我不是 LAN 管理员

I'm looking for a way to find a the windows login associated with a specific group. I'm trying to add permissions to a tool that only allows names formatted like:

DOMAIN\USER 
DOMAIN\GROUP

I have a list of users in active directory format that I need to add:

ou=group1;ou=group2;ou=group3

I have tried adding DOMAIN\Group1, but I get a 'user not found' error.

P.S. should also be noted that I'm not a Lan admin

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

情感失落者 2024-07-11 11:10:10

嗯,AdExplorer 在您的本地工作站上运行(这就是我更喜欢它的原因),并且我相信大多数用户无论如何都具有对 AD 的读取访问权限,因为这实际上是工作所需的,但我对此不确定。

Well, AdExplorer runs on your Local Workstation (which is why I prefer it) and I believe that most users have read access to AD anyway because that's actually required for stuff to work, but I'm not sure about that.

飘过的浮云 2024-07-11 11:10:10

安装 Windows Server CD(如果是 Windows 2003 R2,则为 CD 1)上的“Windows 支持工具”。 如果您的 CD/DVD 驱动器是 D:,那么它将位于 D:\Support\Tools\SuppTools.msi

这为您提供了一些“获取”AD 的附加工具:
LDP.EXE - 适合读取 AD 中的信息,但 UI 有点糟糕。
ADSI Edit - MMC.EXE 的另一个管理单元,您可以使用它浏览 AD 并获取您正在寻找的所有那些讨厌的 AD 属性。

您可以在本地工作站上安装这些工具并从那里访问 AD,而无需域管理员权限。 如果你可以登录域,你至少可以查询/读取 AD 的这些信息。

Install the "Windows Support Tools" that is on the Windows Server CD (CD 1 if it's Windows 2003 R2). If your CD/DVD drive is D: then it will be in D:\Support\Tools\SuppTools.msi

This gives you a couple of additional tools to "get at" AD:
LDP.EXE - good for reading information in AD, but the UI kinda stinks.
ADSI Edit - another snap-in for MMC.EXE that you can both browse AD with and get to all those pesky AD attributes you're looking for.

You can install these tools on your local workstation and access AD from there without domain admin privileges. If you can log on to the domain, you can at least query/read AD for this information.

帅气尐潴 2024-07-11 11:10:10

OU 是一个组织单位(有点像资源管理器中的子文件夹),而不是一个组,因此 group1、2 和 3 实际上不是组。

您正在寻找 DN 属性,也称为“distinguishedName”。 有了 DOMAIN\DN 后,您就可以简单地使用 DOMAIN\DN 了。

编辑:对于团体,CN(通用名称)也可以使用。

Active Directory 中的完整字符串通常如下所示:

cn=用户名,cn=用户,dc=域名,dc=com

(可以更长或更短,但重要的是“ou”部分对于您想要实现的目标来说毫无价值。

OU is an Organizational Unit (sort of like a Subfolder in Explorer), not a Group, Hence group1, 2 and 3 are not actually groups.

You are looking for the DN Attribute, also called "distinguishedName". You can simply use DOMAIN\DN once you have that.

Edit: For groups, the CN (Common Name) could also work.

The full string from Active Directory normally looks like this:

cn=Username,cn=Users,dc=DomainName,dc=com

(Can be longer or shorter, but the important bit is that the "ou" part is worthless for what you're trying to achieve.

A君 2024-07-11 11:10:10

您不需要域管理员权限即可查看活动目录。 默认情况下,任何(经过身份验证的?)用户都可以从目录中读取所需的信息。

例如,如果情况并非如此,计算机(也有关联的帐户)将无法验证其用户的帐户和密码。

您只需要管理员权限即可更改目录的内容。

我认为可以设置更受限制的权限,但情况不太可能如此。

You do not need domain admin rights to look at the active directory. By default, any (authenticated?) user can read the information that you need from the directory.

If that wasn't the case, for example, a computer (which has an associated account as well) could not verify the account and password of its user.

You only need admin rights to change the contents of the directory.

I think it is possible to set more restricted permissions, but that's not likely the case.

池木 2024-07-11 11:10:10

谢谢adeel825 & 迈克尔·斯图姆.

不过,我的问题是,我在一家大公司中,无权以域管理员身份登录,也无权查看活动目录,所以我想我的解决方案是尝试获得该级别的访问权限。

Thanks adeel825 & Michael Stum.

My problem is, though, i'm in a big corporation and do not have access to log in as the domain admin nor to view the active directory, so i guess my solution is to try and get that level of access.

瞎闹 2024-07-11 11:10:09

在计算机上以域管理员身份登录后,您需要转到 Active Directory 用户管理单元:

  1. 转到开始 --> 运行并输入 mmc。
  2. 在 MMC 控制台中,转到文件 -->
  3. 添加/删除管理单元 单击添加 选择
  4. Active Directory 用户和计算机,然后选择添加。
  5. 点击“关闭”,然后点击“确定”。

从这里您可以展开域树并进行搜索(通过右键单击域名)。

您可能不需要特殊权限即可查看 Active Directory 域的内容,特别是当您登录该域时。 值得一试,看看你能走多远。

当您搜索某人时,您可以从查看 --> 中选择列。 选择列。 这应该可以帮助您搜索您正在寻找的人或团体。

You need to go to the Active Directory Users Snap In after logging in as a domain admin on the machine:

  1. Go to start --> run and type in mmc.
  2. In the MMC console go to File -->
  3. Add/Remove Snap-In Click Add Select
  4. Active Directory Users and Computers and select Add.
  5. Hit Close and then hit OK.

From here you can expand the domain tree and search (by right-clicking on the domain name).

You may not need special privileges to view the contents of the Active Directory domain, especially if you are logged in on that domain. It is worth a shot to see how far you can get.

When you search for someone, you can select the columns from View --> Choose Columns. This should help you search for the person or group you are looking for.

绅士风度i 2024-07-11 11:10:09

以编程方式还是手动方式?

手动方面,我更喜欢 AdExplorer,这是一个不错的 Active Directory 浏览器。 您只需连接到域控制器,然后就可以查找该用户并查看所有详细信息。 当然,您需要域控制器上的权限,但不确定是哪一个。

从编程上来说,这取决于您的课程语言。 在 .net 上,System.DirectoryServices 命名空间是您的朋友。 (不幸的是,我这里没有任何代码示例)

对于 Active Directory,除了如何查询它之外,我并不是真正的专家,但这里有两个我发现有用的链接

: Computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm" rel="noreferrer">http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

http://en.wikipedia.org/wiki/Active_Directory(有关 AD 结构的一般内容)

Programatically or Manually?

Manually, i prefer AdExplorer, which is a nice Active directory Browser. You just connect to your domain controller and then you can look for the user and see all the details. Of course, you need permissions on the Domain Controller, not sure which though.

Programatically, it depends on your language of couse. On .net, the System.DirectoryServices Namespace is your friend. (I don't have any code examples here unfortunately)

For Active Directory, I'm not really an expert apart from how to query it, but here are two links I found useful:

http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

http://en.wikipedia.org/wiki/Active_Directory (General stuff about the Structure of AD)

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文