如何确定 AD 组是否包含来自另一个（受信任）域的给定 DirectoryEntry？

发布于 2024-07-10 14:40:51 字数 669 浏览 7 评论 0原文

我正在尝试增强我的代码来确定用户是否是给定 AD 组的成员。它本质上是有效的，除非该组的成员恰好来自另一个（受信任的）域，因为它存储为foreignsecurityprincipal。

鉴于我对要测试的组和要检查的帐户都有一个有效的 DirectoryEntry 对象，我需要一个 DirectorySearcher Filter 字符串，它允许我确认该帐户位于该组中，即使该帐户是一名外国安全负责人。

（演示该问题的 VB.NET 代码示例）

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher(ContainerGroup, "(WHATCANIPUTINHERE)", New String() {"member;Range=0-5000"}, SearchScope.Base)
DSearcher.AttributeScopeQuery = "member"

'If an object is found, the account was in the group
Return (DSearcher.FindOne() IsNot Nothing)

原文

I am trying to beef up my code that determines whether a user is a member of a given AD group. It essentially works except when the member of the group happens to be from another (trusted) domain because it is stored as a foreignsecurityprincipal.

Given that I have a valid DirectoryEntry object for both the Group I want to test, and the Account I want to check for, I need a DirectorySearcher Filter string that will allow me to confirm that the account is in that group, even if the account is a foreignsecurityprincipal.

(VB.NET code Sample demonstrating the issue)

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher(ContainerGroup, "(WHATCANIPUTINHERE)", New String() {"member;Range=0-5000"}, SearchScope.Base)
DSearcher.AttributeScopeQuery = "member"

'If an object is found, the account was in the group
Return (DSearcher.FindOne() IsNot Nothing)

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

一袭白衣梦中忆 2024-07-17 14:40:51

好的。找到了。这就是窍门。

（VB.NET代码示例）

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher
Dim DSearcher As New DirectorySearcher(ContainerGroup, getLDAPQueryStringUsingSID(containedGroup), New String() {"member;Range=0-5000"}, SearchScope.Base)

Return (DSearcher.FindOne() IsNot Nothing) 


** Helper Methods **

Private Function getLDAPQueryStringUsingSID(ByVal DEObject As DirectoryEntry) As String            
  Return "(objectSid=" + getSDDLSidForDirectoryEntry(DEObject) + ")"
End Function

Private Function getSDDLSidForDirectoryEntry(ByVal DEObject As DirectoryEntry) As String
      Dim bytes As Byte() = CType(DEObject.Properties("objectSid").Value, Byte())
      Dim sid As New System.Security.Principal.SecurityIdentifier(bytes, 0)
      Return sid.ToString
End Function

Okay. Found it. Here's the trick.

(VB.NET code Sample)

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher
Dim DSearcher As New DirectorySearcher(ContainerGroup, getLDAPQueryStringUsingSID(containedGroup), New String() {"member;Range=0-5000"}, SearchScope.Base)

Return (DSearcher.FindOne() IsNot Nothing) 


** Helper Methods **

Private Function getLDAPQueryStringUsingSID(ByVal DEObject As DirectoryEntry) As String            
  Return "(objectSid=" + getSDDLSidForDirectoryEntry(DEObject) + ")"
End Function

Private Function getSDDLSidForDirectoryEntry(ByVal DEObject As DirectoryEntry) As String
      Dim bytes As Byte() = CType(DEObject.Properties("objectSid").Value, Byte())
      Dim sid As New System.Security.Principal.SecurityIdentifier(bytes, 0)
      Return sid.ToString
End Function

回复收藏 0 原文

~没有更多了~