当前位置: 文江博客话题详情

获取 Active Directory 组的成员并检查它们是否已启用或禁用

发布于 2024-12-02 05:36:04 字数 95 浏览 0 评论 0原文

获取给定 AD 组中所有成员/用户的列表并确定用户是否启用(或禁用)的最快方法是什么?

我们可能谈论的是 20K 用户,因此我想避免为每个单独的用户点击 AD。

原文

What is the fastest way to get a list of all members/users in a given AD group and determine whether or not a user is enabled (or disabled)?

We are potentially talking about 20K users, so I would like to avoid hitting the AD for each individual user.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

腹黑女流氓 2024-12-09 05:36:04

如果您使用的是 .NET 3.5 及更高版本,则应查看 System.DirectoryServices.AccountManagement (S.DS.AM) 命名空间。请在此处阅读全部内容:

基本上,您可以定义一个域上下文并轻松查找 AD 中的用户和/或组:

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");

// if found....
if (group != null)
{
   // iterate over members
   foreach (Principal p in group.GetMembers())
   {
      Console.WriteLine("{0}: {1}", p.StructuralObjectClass, p.DisplayName);

      // do whatever you need to do to those members
      UserPrincipal theUser = p as UserPrincipal;

      if(theUser != null)
      {
          if(theUser.IsAccountLockedOut()) 
          {
               ...
          }
          else
          {
               ...
          }
      }
   }
}

新的 S.DS.AM 使在 AD 中使用用户和组变得非常容易!

If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);

// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");

// if found....
if (group != null)
{
   // iterate over members
   foreach (Principal p in group.GetMembers())
   {
      Console.WriteLine("{0}: {1}", p.StructuralObjectClass, p.DisplayName);

      // do whatever you need to do to those members
      UserPrincipal theUser = p as UserPrincipal;

      if(theUser != null)
      {
          if(theUser.IsAccountLockedOut()) 
          {
               ...
          }
          else
          {
               ...
          }
      }
   }
}

The new S.DS.AM makes it really easy to play around with users and groups in AD!

回复 原文
阳光①夏 2024-12-09 05:36:04

请您尝试以下代码。它使用 搜索过滤器语法 来获取您希望在一次 LDAP 查询和递归中得到什么。有趣的是查询是在服务器上完成的。我不确定它是否比 @marc_s 解决方案更快,但它存在,并且它适用于框架 .NET 2.0(从 W2K3 SP2 开始)。

string sFromWhere = "LDAP://WM2008R2ENT:389/dc=dom,dc=fr";
DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom\\jpb", "test.2011");

/* To find all the users member of groups "Grp1"  :
 * Set the base to the groups container DN; for example root DN (dc=societe,dc=fr) 
 * Set the scope to subtree
 * Use the following filter :
 * (member:1.2.840.113556.1.4.1941:=CN=Grp1,OU=MonOu,DC=X)
 * coupled with LDAP_MATCHING_RULE_BIT_AND on userAccountControl with ACCOUNTDISABLE
 */
DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=MonGrpSec,OU=MonOu,DC=dom,DC=fr)(userAccountControl:1.2.840.113556.1.4.803:=2))";
dsLookFor.SearchScope = SearchScope.Subtree;
dsLookFor.PropertiesToLoad.Add("cn");

SearchResultCollection srcUsers = dsLookFor.FindAll();

/* Just to know if user is present in an other group
 */
foreach (SearchResult srcUser in srcUsers)
{
  Console.WriteLine("{0}", srcUser.Path);
}

Please can you try the following code. it use Search Filter Syntax to get what you want in one LDAP query and recursively. The interest is that the query is done on the server. I'am not sure that it faster than @marc_s solution but it exists, and it works on framework .NET 2.0 (begining W2K3 SP2).

string sFromWhere = "LDAP://WM2008R2ENT:389/dc=dom,dc=fr";
DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom\\jpb", "test.2011");

/* To find all the users member of groups "Grp1"  :
 * Set the base to the groups container DN; for example root DN (dc=societe,dc=fr) 
 * Set the scope to subtree
 * Use the following filter :
 * (member:1.2.840.113556.1.4.1941:=CN=Grp1,OU=MonOu,DC=X)
 * coupled with LDAP_MATCHING_RULE_BIT_AND on userAccountControl with ACCOUNTDISABLE
 */
DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=MonGrpSec,OU=MonOu,DC=dom,DC=fr)(userAccountControl:1.2.840.113556.1.4.803:=2))";
dsLookFor.SearchScope = SearchScope.Subtree;
dsLookFor.PropertiesToLoad.Add("cn");

SearchResultCollection srcUsers = dsLookFor.FindAll();

/* Just to know if user is present in an other group
 */
foreach (SearchResult srcUser in srcUsers)
{
  Console.WriteLine("{0}", srcUser.Path);
}
回复 原文
~没有更多了~

关于作者

允世

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

離殇

文章 0 评论 0

小姐丶请自重

文章 0 评论 0

Aik

文章 0 评论 0

国产ˉ祖宗

文章 0 评论 0

猥琐帝

文章 0 评论 0

半仙

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文