Active Directory 子组搜索

发布于 2024-12-04 07:38:20 字数 2356 浏览 2 评论 0原文

我需要有一个根 AD 组，并且需要枚举其所有子组。我有一个代码，它连接到 AD 服务器并尝试检索子组列表。

代码如下：

        private IEnumerable<SearchResult> GetSubGroups(string groupId)
        {
            using (var searcher = new DirectorySearcher(new DirectoryEntry(adServerName, adLogin, adPassword)))
            {

                searcher.Filter = string.Format("(&(objectClass=group)({0}))", groupId);
                //Get the Root Group
                var result = searcher.FindOne();
                object resultMembers = result.GetDirectoryEntry().Invoke("Members", null);

                foreach(var member in ((IEnumerable) resultMembers))
                {
                    var memberEntry = new DirectoryEntry(member);

                    var subgroupsSearcher = new DirectorySearcher(memberEntry);
                    subgroupsSearcher.Filter = "(objectClass=group)";
                    subgroupsSearcher.PropertiesToLoad.Add("samaccountname");
                    subgroupsSearcher.PropertiesToLoad.Add("name");

                    var foundSubGroupResult = subgroupsSearcher.FindOne();

                    ...
                }

                return new List<SearchResult> {result};
            }
    }

当枚举 Invoke("Members", null) 结果时，我为每个结果创建另一个 DirectoryEntry。问题是，当调用 subgroupSearcher.FindOne() 时，最终会出现 DirectoryServicesCOMException。

Here's the exception stack trace:
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
...other methods...

异常的 Message 属性显示：“发生操作错误” 我已经记录了 ErrorCode，它是 -2147016672

在从子组对象创建 DirectoryEntry 时，我还尝试隐式初始化 UserName 属性：

foreach(var member in ((IEnumerable) resultMembers))
                    {
                        var memberEntry = new DirectoryEntry(member);
                        memberEntry.Username = adLogin;
                        var subgroupsSearcher = new DirectorySearcher(memberEntry)

                        ...
                    }

但它给出了相同的结果。

我做错了什么？任何帮助都是值得赞赏的。

原文

I need have a root AD group and need to enumerate through all its subgroups. I have a code, that connects to the AD server and tries to retrieve subgroups list.

Here's the code:

        private IEnumerable<SearchResult> GetSubGroups(string groupId)
        {
            using (var searcher = new DirectorySearcher(new DirectoryEntry(adServerName, adLogin, adPassword)))
            {

                searcher.Filter = string.Format("(&(objectClass=group)({0}))", groupId);
                //Get the Root Group
                var result = searcher.FindOne();
                object resultMembers = result.GetDirectoryEntry().Invoke("Members", null);

                foreach(var member in ((IEnumerable) resultMembers))
                {
                    var memberEntry = new DirectoryEntry(member);

                    var subgroupsSearcher = new DirectorySearcher(memberEntry);
                    subgroupsSearcher.Filter = "(objectClass=group)";
                    subgroupsSearcher.PropertiesToLoad.Add("samaccountname");
                    subgroupsSearcher.PropertiesToLoad.Add("name");

                    var foundSubGroupResult = subgroupsSearcher.FindOne();

                    ...
                }

                return new List<SearchResult> {result};
            }
    }

When enumerating throught the Invoke("Members", null) results I create another DirectoryEntry for each result.
The problem is, that when a subgroupSearcher.FindOne() is called, it ends up with a DirectoryServicesCOMException.

Here's the exception stack trace:
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
...other methods...

Exception's Message property says: "An operations error occured"
I've logged the ErrorCode, it's -2147016672

I also attempted to initialize UserName property implicitly, when creating the DirectoryEntry from the subgroup object:

foreach(var member in ((IEnumerable) resultMembers))
                    {
                        var memberEntry = new DirectoryEntry(member);
                        memberEntry.Username = adLogin;
                        var subgroupsSearcher = new DirectorySearcher(memberEntry)

                        ...
                    }

But it gave the same result.

What I'm doing wrong? Any help is appreciable.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

白色秋天 2024-12-11 07:38:20

不知道为什么你要调用 Invoke("members")。您只想让 DirectorySearcher 返回组的成员属性。您需要处理两件事：

属性值范围 - http://www.netid.washington .edu/documentation/enumeatingLargeGroups.aspx
嵌套循环 - 您的代码需要跟踪您已经扩展的组，这样您就不会一遍又一遍地执行此操作

回复收藏 0 原文

梦境 2024-12-11 07:38:20

这是一段代码。它允许使用递归过滤器，请参阅搜索过滤器语法检索“group”类的组的所有成员（您称之为子组）

static void Main(string[] args)
{
  /* Connection to Active Directory
   */
  string sFromWhere = "LDAP://WM2008R2ENT:389/dc=dom,dc=fr";
  DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom\\jpb", "test.2011");

  /* To find all the groups member of groups "Grp1"  :
   * Set the base to the groups container DN; for example root DN (dc=societe,dc=fr) 
   * Set the scope to subtree
   * Use the following filter :
   * (member:1.2.840.113556.1.4.1941:=CN=Grp1,OU=MonOu,DC=X)
   * coupled with a AND Bit filter on userAccountControl
   */
  DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
  dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=MonGrpSec,OU=MonOu,DC=dom,DC=fr)(objectClass=group))";
  dsLookFor.SearchScope = SearchScope.Subtree;
  dsLookFor.PropertiesToLoad.Add("cn");

  SearchResultCollection srcGroups = dsLookFor.FindAll();

  /* Just to write some result
   */
  foreach (SearchResult srcGroup in srcGroups)
  {
    Console.WriteLine("{0}", srcGroup.Path);
  }

  Console.ReadLine();
}

Here is a piece of code. It allow to use a recursive filter see Search Filter Syntax to retreive all the members of a group of the class 'group'(the thing you call subgroups)

static void Main(string[] args)
{
  /* Connection to Active Directory
   */
  string sFromWhere = "LDAP://WM2008R2ENT:389/dc=dom,dc=fr";
  DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom\\jpb", "test.2011");

  /* To find all the groups member of groups "Grp1"  :
   * Set the base to the groups container DN; for example root DN (dc=societe,dc=fr) 
   * Set the scope to subtree
   * Use the following filter :
   * (member:1.2.840.113556.1.4.1941:=CN=Grp1,OU=MonOu,DC=X)
   * coupled with a AND Bit filter on userAccountControl
   */
  DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
  dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=MonGrpSec,OU=MonOu,DC=dom,DC=fr)(objectClass=group))";
  dsLookFor.SearchScope = SearchScope.Subtree;
  dsLookFor.PropertiesToLoad.Add("cn");

  SearchResultCollection srcGroups = dsLookFor.FindAll();

  /* Just to write some result
   */
  foreach (SearchResult srcGroup in srcGroups)
  {
    Console.WriteLine("{0}", srcGroup.Path);
  }

  Console.ReadLine();
}

回复收藏 0 原文

~没有更多了~