获取新用户的活动目录容器对象

发布于 2024-10-14 08:34:18 字数 195 浏览 2 评论 0原文

我想在活动目录域中创建一个可以添加新用户的容器对象树。我可以递归访问域并获取目录中的所有内容，但我想将范围限制为仅对用户有效的容器。

LDAP 查询会是什么样子来获取适合用户对象的节点的子节点？有更好的方法吗？

如果您好奇的话，我正在使用 c#、System.DirectoryServices 和 .net 3.5。

谢谢！

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

囚我心虐我身 2024-10-21 08:34:18

查看优秀的 MSDN 文章在 .NET Framework 3.5 中管理目录安全主体如果您还没有使用 .NET 3.5 中的 System.DirectoryServices.AccountManagement 中的新功能，请了解如何使用。

为了绑定到您的容器，您需要知道它的 LDAP 路径，这样您就可以基于该容器建立一个上下文：

PrincipalContext ctx = 
    new PrincipalContext(ContextType.Domain, "Fabrikam",
                         "ou=TechWriters,dc=fabrikam,dc=com");

通过此上下文，您现在可以在该上下文中搜索某些类型的主体：

// create a principal object representation to describe
// what will be searched 
UserPrincipal user = new UserPrincipal(ctx);

// define the properties of the search (this can use wildcards)
user.Enabled = false;
user.Name = "user*";

// create a principal searcher for running a search operation
PrincipalSearcher pS = new PrincipalSearcher();

// assign the query filter property for the principal object you created
// you can also pass the user principal in the 
// PrincipalSearcher constructor
pS.QueryFilter = user;

// run the query
PrincipalSearchResult<Principal> results = pS.FindAll();

Console.WriteLine("Disabled accounts starting with a name of 'user':");
foreach (Principal result in results)
{
    Console.WriteLine("name: {0}", result.Name);
}

这可行吗为你？这就是您要找的吗？

Check out the excellent MSDN article Managing Directory Security Principals in the .NET Framework 3.5 on how to use the new features in System.DirectoryServices.AccountManagement in .NET 3.5, if you haven't already.

In order to bind to your container, you need to know it's LDAP path and with this, you can establish a context based on that container:

PrincipalContext ctx = 
    new PrincipalContext(ContextType.Domain, "Fabrikam",
                         "ou=TechWriters,dc=fabrikam,dc=com");

With this context, you can now e.g. search for certain types of principals in that context:

// create a principal object representation to describe
// what will be searched 
UserPrincipal user = new UserPrincipal(ctx);

// define the properties of the search (this can use wildcards)
user.Enabled = false;
user.Name = "user*";

// create a principal searcher for running a search operation
PrincipalSearcher pS = new PrincipalSearcher();

// assign the query filter property for the principal object you created
// you can also pass the user principal in the 
// PrincipalSearcher constructor
pS.QueryFilter = user;

// run the query
PrincipalSearchResult<Principal> results = pS.FindAll();

Console.WriteLine("Disabled accounts starting with a name of 'user':");
foreach (Principal result in results)
{
    Console.WriteLine("name: {0}", result.Name);
}

Does that work for you? Is that what you're looking for?

回复收藏 0 原文

她说她爱他 2024-10-21 08:34:18

如果我正确理解您的问题，您想知道的是 Active Directory 中什么样的对象可以包含用户对象。

我想你可以从AD架构分区中得到答案。我快速检查了运行 Windows 2003 AD 的架构分区。允许将User对象分配给OU、容器、builtinDomain和domainDNS >。

我没有检查Windows 2008，但我相信应该是一样的。很多人都知道OU和容器是什么。很少有人知道builtinDomain和domainDNS是什么。我怀疑它对你的情况是否有用。 builtinDomain是一个特殊的容器，用于包含内置帐户。默认情况下，AD 在 CN=Builtin,DC=yourdomain,DC=com 创建了一个 builtinDomain。 domainDNS 是您的根域路径 DC=yourdomain,DC=com。

这是一个在特定节点下查找 Active Directory 中所有类型对象的函数。如果您认为 builtinDomain 和 domainDNS 对您的情况没有意义，只需将其从 LDAP 过滤器中取出即可。

IEnumerable<DirectoryEntry> FindUserParentObject(DirectoryEntry root)
{
    using (DirectorySearcher searcher = new DirectorySearcher(root))
    {
        searcher.Filter = "(|(objectClass=organizationalUnit)(objectClass=container)(objectClass=builtinDomain)(objectClass=domainDNS))";
        searcher.SearchScope = SearchScope.Subtree;
        searcher.PageSize = 1000;
        foreach (SearchResult result in searcher.FindAll())
        {
            yield return result.GetDirectoryEntry();
        }
    }
}

If I understand your question correctly, what you want to know is what kind of objects in Active Directory can contain User object.

I think you can get the answer from the AD schema partition. I had a quick check on my schema partition which is running Windows 2003 AD. The User object is allowed to be assigned to OU, container, builtinDomain and domainDNS.

I didn't check Windows 2008 but I believe it should be the same. Many people know what OU and container are. Few people know what builtinDomain and domainDNS are. I doubt if it's useful in your case. builtinDomain is a special container used to contain the built-in account. By default, AD created a builtinDomain at CN=Builtin,DC=yourdomain,DC=com. domainDNS is your root domain path DC=yourdomain,DC=com.

Here is a function to find all kinds of objects in Active Directory under a particular node. If you think builtinDomain and domainDNS is not meaningful in your case, just take it out from the LDAP filter.

IEnumerable<DirectoryEntry> FindUserParentObject(DirectoryEntry root)
{
    using (DirectorySearcher searcher = new DirectorySearcher(root))
    {
        searcher.Filter = "(|(objectClass=organizationalUnit)(objectClass=container)(objectClass=builtinDomain)(objectClass=domainDNS))";
        searcher.SearchScope = SearchScope.Subtree;
        searcher.PageSize = 1000;
        foreach (SearchResult result in searcher.FindAll())
        {
            yield return result.GetDirectoryEntry();
        }
    }
}

回复收藏 0 原文

~没有更多了~