为什么更改用户的“主要组”会发生变化?来自“域用户”在 Active Directory 中阻碍用户的递归搜索?

发布于 2024-11-09 22:39:50 字数 984 浏览 3 评论 0原文

给定以下简单的 OU/组层次结构:

OU=MyApplication
    CN=CompanyClients(objectClass="group"; Members="Clients\Client1")
    OU=Clients
        CN=Client1(objectClass="group"; Members=".\client1-emp1; .\client1-emp2")
        CN=client1-Emp1 (objectClass="user"; Primary Group="Client1")
        CN=client1-Emp2 (objectClass="user"; Primary Group="Domain Users")

为什么以下递归搜索会仅仅因为其主要组未设置为“域用户”或“域来宾”而忽略 client1-emp1?另外,还可以将哪些其他组设置为主要组,以便 emp1 成功包含在搜索中?

using System.DirectoryServices.AccountManagement;

var ctx = new PrincipalContext(ContextType.Domain, "mydomain.org");
var group = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "CompanyClients");

var results = group.GetMembers(recursive:true);
//results excludes client1-emp1 but includes client1-emp2
foreach (var principal in results)
{
    Debug.WriteLine("Principal:" + principal.SamAccountName);
}

结果:

Principal: client1-emp2

Given the following simple OU/Group hierarchy:

OU=MyApplication
    CN=CompanyClients(objectClass="group"; Members="Clients\Client1")
    OU=Clients
        CN=Client1(objectClass="group"; Members=".\client1-emp1; .\client1-emp2")
        CN=client1-Emp1 (objectClass="user"; Primary Group="Client1")
        CN=client1-Emp2 (objectClass="user"; Primary Group="Domain Users")

Why will the following recursive search omit client1-emp1 simply because its primary group is not set to either "Domain Users" or "Domain Guests"? Also, what other groups can be set as the primary group so that emp1 is successfully included in the search?

using System.DirectoryServices.AccountManagement;

var ctx = new PrincipalContext(ContextType.Domain, "mydomain.org");
var group = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "CompanyClients");

var results = group.GetMembers(recursive:true);
//results excludes client1-emp1 but includes client1-emp2
foreach (var principal in results)
{
    Debug.WriteLine("Principal:" + principal.SamAccountName);
}

Results:

Principal: client1-emp2

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

我一直都在从未离去 2024-11-16 22:39:51

如果您检查 Active Directory 中对象的“memberOf”属性(例如检查您自己的帐户),您将发现它包括您的主要组(很可能是“域用户”)。您可以通过查看“primaryGroupID”属性来了解某人的主要组是什么,如果您的主要组是域用户,则该属性为“513”。

同样,如果您检查“域用户”的“成员”属性,您将看不到以域用户为主要组的人员。

我记得在某处读到这样做是出于性能原因(当然现在我找不到这篇文章),因为在某些情况下拥有太多成员的小组会影响性能。

可能,GroupPrincipalGetMembers 方法不会搜索将该组作为主要组的用户(即它不会检查 PrimaryGroupId 属性),这就是您不这样做的原因见其中一位成员。

本文介绍了如何解析用户的主要组,我认为您应该能够使用此处解释的概念来解决您的问题:如何使用 PrimaryGroupID 属性查找用户的主要组

If you check the "memberOf" property of an object in Active Directory (check e.g. your own account) you will see that it does not include your primary group (which is most likely "Domain Users"). You can see what is the primary group of a person by looking at the "primaryGroupID" property, which is "513" if your primary group is Domain Users.

Similarly, if you check the "member" property of "Domain Users", you will not see the people that have Domain Users as primary group.

I remember reading somewhere that this is done for performance reasons (of course now I cannot find the article), as having a group with too many members would impact performance under some circumstances.

Probably, the GetMembers method of GroupPrincipal does not search for users that have the group as primary group (i.e. it does not check the PrimaryGroupId attribute), that's why you don't see one of the members.

This article explains how to resolve the primary group for a user, I think you should be able to use the concepts explained here to solve your problem: How to use the PrimaryGroupID attribute to find the primary group for a user

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文