从 Active Directory 组获取用户
我创建了一个 Active Directory 域名“ADDOMAIN2”,其组名为“CommonUsers”,有 8 个用户。但是当我对“CommonUsers”组中的用户进行目录搜索时,它返回零结果。她是我的代码
DirectorySearcher searcher = new DirectorySearcher();
DirectoryEntry directoryEntry = new DirectoryEntry(string.Format("LDAP://{0}", "ADDOMAIN2"), "Administrator", "p@S$w0rd");
string dnPath = directoryEntry.Properties["distinguishedName"].Value.ToString();
// string path = string.Format("LDAP://{0}/{1}{2}", "ADDOMAIN2", "", dnPath);
string path = "LDAP://ADDOMAIN2/CN=CommonUsers,DC=ADDomain2,DC=ADDomain01,DC=WaveDomain";
directoryEntry.Path = path;
searcher.SearchRoot = directoryEntry;
searcher.Filter = "(&(objectCategory=person)(objectClass=user))";
SearchResultCollection rs = searcher.FindAll();
知道这里出了什么问题吗?
谢谢
I created an Active Directory domain name 'ADDOMAIN2' having a group name "CommonUsers" having 8 users. but when I do a Directory Search for users in group "CommonUsers" it returns zero result. hers is my code
DirectorySearcher searcher = new DirectorySearcher();
DirectoryEntry directoryEntry = new DirectoryEntry(string.Format("LDAP://{0}", "ADDOMAIN2"), "Administrator", "p@S$w0rd");
string dnPath = directoryEntry.Properties["distinguishedName"].Value.ToString();
// string path = string.Format("LDAP://{0}/{1}{2}", "ADDOMAIN2", "", dnPath);
string path = "LDAP://ADDOMAIN2/CN=CommonUsers,DC=ADDomain2,DC=ADDomain01,DC=WaveDomain";
directoryEntry.Path = path;
searcher.SearchRoot = directoryEntry;
searcher.Filter = "(&(objectCategory=person)(objectClass=user))";
SearchResultCollection rs = searcher.FindAll();
Any Idea what is wrong here?
Thanx
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
尝试使用一些外部 LDAP 浏览器(例如 Softerra LDAP 浏览器 的旧版免费版本 2.6)来检查您的查询字符串是否确实指向正确的位置。
Try using some external LDAP browser (like the old and free version 2.6 of Softerra LDAP Browser) to check whether your query string is really pointing to the correct location.
DirectorySearcher 不用于查找组内的用户。它用于查找基本路径下的对象。由于您的 AD 组对象下没有放置任何用户对象,因此您将找不到任何内容。
大多数情况下,您可以通过 AD 组的成员属性找到该 AD 组中的用户对象。请注意,AD 组可以包含组或用户。所以,有些菜品可能是团体的。在某些情况下,成员属性不包含 AD 组或 AD 用户,它包含外部安全主体。如果您的用户来自另一个林,就会发生这种情况。主要组的处理方式也不同。即使“域用户”是AD中大多数用户的主要组,其成员属性也根本不包含任何内容。还有许多其他奇怪的事情使得枚举 AD 组对象变得非常困难。
幸运的是,在 .NET 3.5 中,Microsoft 在框架中提供了一些有用的类来为您完成繁重的工作。查看 System.DirectoryServices.AccountManagement
快速获取一些信息例如,您可以查看此代码项目 文章
您的代码应该是这样的。
DirectorySearcher is not used to find users inside a group. It's used to find objects under a base path. Since there is no user objects placed under your AD group object, you won't find anything.
In most cases, you can find the user objects in an AD group from its member attribute. Beware that AD group can contain either group or user. So, some of the entres there may be group. In some cases, the member attribute does not contain AD group nor AD user, it's containing a Foreign Security Principal. This happens if your user is coming from another forest. The primary group is also handled differently. Even "Domain User" is primary group of most of the users in AD, its member attribute doesn't contain anything at all. There are a lot other oddities that makes enumerating an AD group object really hard.
Fortunately, in .NET 3.5, Microsoft provides some useful classes in the framework to do the dirty work for you. Check out System.DirectoryServices.AccountManagement
To get some quick examples, you can check out this codeproject article
Your code should be something like this.