为什么更改用户的“主要组”会发生变化?来自“域用户”在 Active Directory 中阻碍用户的递归搜索?
给定以下简单的 OU/组层次结构:
OU=MyApplication
CN=CompanyClients(objectClass="group"; Members="Clients\Client1")
OU=Clients
CN=Client1(objectClass="group"; Members=".\client1-emp1; .\client1-emp2")
CN=client1-Emp1 (objectClass="user"; Primary Group="Client1")
CN=client1-Emp2 (objectClass="user"; Primary Group="Domain Users")
为什么以下递归搜索会仅仅因为其主要组未设置为“域用户”或“域来宾”而忽略 client1-emp1?另外,还可以将哪些其他组设置为主要组,以便 emp1 成功包含在搜索中?
using System.DirectoryServices.AccountManagement;
var ctx = new PrincipalContext(ContextType.Domain, "mydomain.org");
var group = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "CompanyClients");
var results = group.GetMembers(recursive:true);
//results excludes client1-emp1 but includes client1-emp2
foreach (var principal in results)
{
Debug.WriteLine("Principal:" + principal.SamAccountName);
}
结果:
Principal: client1-emp2
Given the following simple OU/Group hierarchy:
OU=MyApplication
CN=CompanyClients(objectClass="group"; Members="Clients\Client1")
OU=Clients
CN=Client1(objectClass="group"; Members=".\client1-emp1; .\client1-emp2")
CN=client1-Emp1 (objectClass="user"; Primary Group="Client1")
CN=client1-Emp2 (objectClass="user"; Primary Group="Domain Users")
Why will the following recursive search omit client1-emp1 simply because its primary group is not set to either "Domain Users" or "Domain Guests"? Also, what other groups can be set as the primary group so that emp1 is successfully included in the search?
using System.DirectoryServices.AccountManagement;
var ctx = new PrincipalContext(ContextType.Domain, "mydomain.org");
var group = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "CompanyClients");
var results = group.GetMembers(recursive:true);
//results excludes client1-emp1 but includes client1-emp2
foreach (var principal in results)
{
Debug.WriteLine("Principal:" + principal.SamAccountName);
}
Results:
Principal: client1-emp2
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您检查 Active Directory 中对象的“memberOf”属性(例如检查您自己的帐户),您将发现它不包括您的主要组(很可能是“域用户”)。您可以通过查看“primaryGroupID”属性来了解某人的主要组是什么,如果您的主要组是域用户,则该属性为“513”。
同样,如果您检查“域用户”的“成员”属性,您将看不到以域用户为主要组的人员。
我记得在某处读到这样做是出于性能原因(当然现在我找不到这篇文章),因为在某些情况下拥有太多成员的小组会影响性能。
可能,
GroupPrincipal的GetMembers方法不会搜索将该组作为主要组的用户(即它不会检查 PrimaryGroupId 属性),这就是您不这样做的原因见其中一位成员。本文介绍了如何解析用户的主要组,我认为您应该能够使用此处解释的概念来解决您的问题:如何使用 PrimaryGroupID 属性查找用户的主要组
If you check the "memberOf" property of an object in Active Directory (check e.g. your own account) you will see that it does not include your primary group (which is most likely "Domain Users"). You can see what is the primary group of a person by looking at the "primaryGroupID" property, which is "513" if your primary group is Domain Users.
Similarly, if you check the "member" property of "Domain Users", you will not see the people that have Domain Users as primary group.
I remember reading somewhere that this is done for performance reasons (of course now I cannot find the article), as having a group with too many members would impact performance under some circumstances.
Probably, the
GetMembersmethod ofGroupPrincipaldoes not search for users that have the group as primary group (i.e. it does not check the PrimaryGroupId attribute), that's why you don't see one of the members.This article explains how to resolve the primary group for a user, I think you should be able to use the concepts explained here to solve your problem: How to use the PrimaryGroupID attribute to find the primary group for a user