LDAP 查询查找安全组中的所有计算机
这是我尝试的方法:
public List<string> GetUsersInGroup(string domain, string group)
{
List<string> groupMemebers = new List<string>();
DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain);
DirectorySearcher groupSearch = new DirectorySearcher(entry);
groupSearch.Filter = "(&(objectclass=group)(samaccountname=" + group +"))";
groupSearch.PropertiesToLoad.Add("DistinguishedName");
SearchResult srG = groupSearch.FindOne();
String DN = srG.Properties["DistinguishedName"][0].ToString();
entry.RefreshCache(new string[] { "memberOf" });
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = "(|(&(objectClass=computer)(memberOf=" + DN + "))(&(objectClass=User)(memberOf=" + DN + ")))";
SearchResultCollection srcg = mySearcher.FindAll();
foreach (SearchResult resEnt in srcg)
{
groupMemebers.Add(resEnt.GetDirectoryEntry().Name.ToString());
}
return groupMemebers;
}
编辑:
很高兴发现用户属于该组,但我可以获取该组的计算机(memberOF)如果组是“域计算机”或“域控制器”(主要群体!)。
有人可以帮助我吗?
This is what I try:
public List<string> GetUsersInGroup(string domain, string group)
{
List<string> groupMemebers = new List<string>();
DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain);
DirectorySearcher groupSearch = new DirectorySearcher(entry);
groupSearch.Filter = "(&(objectclass=group)(samaccountname=" + group +"))";
groupSearch.PropertiesToLoad.Add("DistinguishedName");
SearchResult srG = groupSearch.FindOne();
String DN = srG.Properties["DistinguishedName"][0].ToString();
entry.RefreshCache(new string[] { "memberOf" });
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = "(|(&(objectClass=computer)(memberOf=" + DN + "))(&(objectClass=User)(memberOf=" + DN + ")))";
SearchResultCollection srcg = mySearcher.FindAll();
foreach (SearchResult resEnt in srcg)
{
groupMemebers.Add(resEnt.GetDirectoryEntry().Name.ToString());
}
return groupMemebers;
}
Edit:
It's good to find USERS belong the group but I can get the Computers (memberOF) the group if group is "Domain Computers" or "Domain Controllers" (primary Groups!).
Some one can help me?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
AD 中对象(用户或计算机)的主要组存储在名为“primaryGroupID”的属性中。例如,对于用户来说,这通常是 513,这意味着主要组是“域用户”。
内置组(域用户、域计算机等)有许多成员,通过“成员”属性以通常的方式存储成员身份会导致性能问题。这就是为什么您在 memberof 属性中看不到“域计算机”的原因。
基本上,如果您想查找属于“域计算机”成员的计算机,则必须运行查询
检查如何使用 PrimaryGroupID 属性查找用户的主要组 - 这也适用于计算机。
另请检查Windows 操作系统中众所周知的安全标识符
The primary group of an object (user or computer) in AD is stored in a property called "primaryGroupID". For example, for users this is generally 513, which means that the primary group is "Domain Users".
The built-in groups (Domain Users, Domain Computers etc) have many members, and storing the membership in the usual way through the "member" property would cause performance issues. This is why you don't see "Domain Computers" in the memberof property.
Basically, if you want to find computers that are members of "Domain Computers", you must run the query
Check How to use the PrimaryGroupID attribute to find the primary group for a user - this applies also to computers.
Also check Well-known security identifiers in Windows operating systems