检查组成员资格
我正在使用 UserPrincipal.FindByIdentity(ctx, "SomeAdminAccountName").GetGroups() 针对 Active Directory 中的组向用户授权。它适用于简单组,但不适用于嵌套组。假设我有以下结构:
Administrators members:
SomeAdminAccountName
Users members
Administrators
SomeUserAccountName
用户组包含管理员组(因为所有管理员都应该能够执行用户可以执行的操作)。问题是 UserPrincipal.FindByIdentity(ctx, "SomeAdminAccountName").GetGroups() 不包含 Users 组。
如果我使用 GroupPrincipal.FindByIdentity(ctx, groupName).Members 我确实看到 Administrator 组是其中的一部分,但不包括管理员帐户。
我的问题是:
我是否需要进行递归组检查来查找用户,或者是否还有其他我没有找到的方法?
I'm using UserPrincipal.FindByIdentity(ctx, "SomeAdminAccountName").GetGroups() to authorize a user against a group in active directory. It works fine for simple groups, but not for nested groups. Let's say that I got the following structure:
Administrators members:
SomeAdminAccountName
Users members
Administrators
SomeUserAccountName
The users group contains the administrator group (since all administrators should be able to do what users can). The problem is that the UserPrincipal.FindByIdentity(ctx, "SomeAdminAccountName").GetGroups() do not include the Users group.
If I use GroupPrincipal.FindByIdentity(ctx, groupName).Members I do see that the Administrator group is part of it, but the administrator account is not included.
My question is:
Do I need to do a recursive group check to find a user or is there another way that I haven't found?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
要根据组检查用户,我会尝试 IsMemberOf。
您还可以从另一个方向解决问题,使用设置了递归标志的 GetMembers 函数查找组并获取所有成员。由于大多数应用程序使用少量组,因此您应该能够缓存它以供重用,在我的工作中,5 - 30 分钟通常是可接受的缓存时间。
To check a user against a group I would try IsMemberOf.
You may also approach the problem from the other direction, finding the group and get all members using the GetMembers function with the recursive flag set. As most applications use a small number of groups you should be able to cache this for reuse, in my work 5 - 30 minutes is usually acceptable caching time.
您可能是 Windows 用户访问控制(Vista 或 Win7)的受害者。当管理员在启用 UAC 的情况下登录时,Windows 会创建一个“分割令牌”,即,他们的运行就像他们的帐户不属于管理员组一样,除非/直到他们对正在运行的进程的权限被显式提升。您可以通过以管理员身份运行(或者如果您在 VS 调试模式下运行,则以管理员身份启动 VS)来提升执行进程来验证是否是这种情况。
You could be the victim of Windows User Access Control (Vista or Win7). When an admin logs on with UAC enabled, windows creates a "split token"—i.e. they run as if their account isn't part of the admin group unless/until their permissions for the running process are explicitly elevated. You can verify if this is the case by elevating the executing process by running as admin (or starting VS as admin if you're running under VS debug mode).