使用 Sharepoint API 获取 AD 域组的成员

发布于 2024-10-04 19:12:33 字数 470 浏览 8 评论 0原文

在我的 Sharepoint 代码中,我通过以下方式显示所有已定义用户的列表:

foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
    ...
}

最重要的是,我可以将域安全组添加到 Sharepoint 组(如访客),从而一次添加许多用户(更简单的管理)。但我的代码至少在他们第一次登录之前看不到这些用户(如果他们有足够的权限)。在这种情况下,我只能看到域安全组 SPUser 对象实例,其 IsDomainGroup 设置为 true

是否可以通过 Sharepoint 获取域组成员,而无需诉诸 Active Directory 查询(这是我宁愿避免的事情,因为您可能需要足够的权限来执行此类操作 = 更多管理:Sharepoint 权限 +广告权)。

In my Sharepoint code I display a list of all defined users via:

foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
    ...
}

The great part is, I can add a domain security group to a Sharepoint group (like Visitors) thus adding many users at once (simpler administration). But my code doesn't see those users at least not until they log-in for the first time (if they have sufficient rights). In this case I can only see the domain security group SPUser object instance with its IsDomainGroup set to true.

Is it possible to get domain group members by means of Sharepoint without resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations = more administration: Sharepoint rights + AD rights).

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

旧人哭 2024-10-11 19:12:33

您可以使用方法 SPUtility.GetPrincipalsInGroup (MSDN)。

字符串输入(安全组的 NT 帐户名称)之外的所有参数都是不言自明的:

bool reachedMaxCount;
SPWeb web = SPContext.Current.Web;
int limit = 100;
string group = "Domain\\SecurityGroup";
SPPrincipalInfo[] users = SPUtility.GetPrincipalsInGroup(web, group, limit, out reachedMaxCount);

请注意,此方法不解析嵌套安全组。此外,执行用户需要具有当前 Web 上的浏览​​用户信息权限 (SPBasePermissions.BrowseUserInfo)。

更新:

private void ResolveGroup(SPWeb w, string name, List<string> users)
{
    foreach (SPPrincipalInfo i in SPUtility.GetPrincipalsInGroup(w, name, 100, out b))
    {
        if (i.PrincipalType == SPPrincipalType.SecurityGroup)
        {
          ResolveGroup(w, i.LoginName, users);
        }
        else
        {
          users.Add(i.LoginName);
        }
    }
}

List<string> users = new List<string>();
foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
  if (user.IsDomainGroup)
    {
      ResolveGroup(SPContext.Current.Web, user.LoginName, users);
    }
    else
    {
      users.Add(user.LoginName);
    }
}

编辑:

[...] 诉诸 Active Directory 查询(这是我宁愿避免的事情,因为您可能需要足够的权限来执行此类操作 [...]

当然,这是事实,但 SharePoint 也必须查找 AD。就是这样为什么应用程序池服务帐户需要对 AD 具有读取权限。
换句话说,如果您运行恢复到进程帐户的代码,您应该可以安全地对 AD 执行查询。

You can use the method SPUtility.GetPrincipalsInGroup (MSDN).

All parameters are self-explaining except string input, which is the NT account name of the security group:

bool reachedMaxCount;
SPWeb web = SPContext.Current.Web;
int limit = 100;
string group = "Domain\\SecurityGroup";
SPPrincipalInfo[] users = SPUtility.GetPrincipalsInGroup(web, group, limit, out reachedMaxCount);

Please note that this method does not resolve nested security groups. Further the executing user is required to have browse user info permission (SPBasePermissions.BrowseUserInfo) on the current web.

Update:

private void ResolveGroup(SPWeb w, string name, List<string> users)
{
    foreach (SPPrincipalInfo i in SPUtility.GetPrincipalsInGroup(w, name, 100, out b))
    {
        if (i.PrincipalType == SPPrincipalType.SecurityGroup)
        {
          ResolveGroup(w, i.LoginName, users);
        }
        else
        {
          users.Add(i.LoginName);
        }
    }
}

List<string> users = new List<string>();
foreach (SPUser user in SPContext.Current.Web.AllUsers)
{
  if (user.IsDomainGroup)
    {
      ResolveGroup(SPContext.Current.Web, user.LoginName, users);
    }
    else
    {
      users.Add(user.LoginName);
    }
}

Edit:

[...] resorting to Active Directory querying (which is something I would rather avoid because you probably need sufficient rights to do such operations [...]

That's true, of course, but SharePoint has to lookup the AD as well. That's why a application pool service account is required to have read access to the AD.
In other words, you should be safe executing queries against the AD if you run your code reverted to the process account.

清眉祭 2024-10-11 19:12:33

我建议您直接查询 Active Directory。您花费了大量精力来尝试让 SharePoint 为您调用 AD。每个具有域用户访问权限的帐户都应该能够查询您嵌套在 SharePoint 中的 AD 组。我只想去源头。

这样您就不必担心浏览用户权限或其他任何问题。在我看来,尝试通过 SharePoint 代理这一点只会让您的生活变得更加困难。

I would suggest you just query Active Directory directly. You are spending a lot of effort to try to get SharePoint to make this call to AD for you. Every account that has Domain User access should be able to query the AD groups you have nested in SharePoint. I would just go to the source.

This way you don't have to worry about Browse User Permissions or anything else. In my opinion trying to proxy this through SharePoint is just making your life more difficult.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文