如何使用adsgetObject获取域中组中组的IADSGROUP对象?
简短版本
如何获得组的 IADSGROUP stackoverflow \ itops 的接口?
长期
我试图获得 IADSGROUP 使用 adsgetObject 函数。
我拥有的唯一信息:
- groupName :eg
itops - domainname :eg
stackoverflow
该功能采用 ldap路径到对象:
HRESULT ADsGetObject(
[in] LPCWSTR lpszPathName,
[in] REFIID riid,
[out] VOID **ppObject
);
真正的困难是在提出 group 的实际 ldap路径时。例如:
-
ldap:// stackoverflow/itops失败 (“已指定了无效的DN语法”) -
ldap:// cn = itops,dn = stackoverflow失败 0x800720202020 (“发生操作错误发生了”) -
ldap:// cn = itops,dc = stackoverflow < /code> 失败 0x8007202b (“从服务器返回转介”)
给出的问题
:
- 组名称(例如“ itops”)
- 域名(例如,stackoverflow) ”)
如何获得组的 iAdsGroup stackoverflow \ itops 的接口?
奖励阅读
- msdn:
- MSDN:
- msdn: ldap
- adspath a href =“ https://lealen.microsoft.com/en-us/windows/win32/win32/ad/binding-to-to-to-to-an-object-usish-a-sid-using-a-sid“ rel =“ nofollow noreferrer”>使用对象绑定到对象sid
- msdn:获取域名的示例代码
- serverfault:在域/树/树中获取广告组路径
- ldap路径的适当语法
- stackoverflow stackoverflow.com/questions/23808451/ldap-path-and-permissions-to-query-local-user-directory"> dilectory"> dldap路径和权限查询本地用户目录?
- msdn: winnt adspath
- //learn.microsoft.com/en-us/windows/win32/adsi/winnt-adspath winnt_ldap.htm“ rel =“ nofollow noreferrer”> winnt vs. ldap
- msdn:glossary winnt :“ Windows NT名称空间提供商,支持Windows NT SAM帐户数据库。 Winnt提供商也可以用于访问Active Directory,但它将其视为平坦的名称空间
- 。 /adsgetObject.html“ rel =“ nofollow noreferrer”> c语言函数:adsgetObject示例代码
- msdn:不支持的iAdsuser属性 (“要获得和/或修改这些属性,请使用ldap Provider”,使用ldap Provider”)
- msdn: msdn: winnt自定义用户属性 (“ winnt提供商可为用户类提供以下自定义属性”)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您不知道域的
dn,则可以通过rootdseIf you don't know the
dnof the domain then you can obtain it viarootDSEAD中有几个唯一的标识符,并且不能以相同的方式使用它们,这使事情有些混乱。
这是该路径所需的文档(您已经链接到): ldap adspath
表明LDAP路径应该看起来像:
hostName,portnumberand code> dickinedname 都是可选的,取决于关于您要做的事情。如果您需要绑定到特定对象(这是您要做的事情),则必须DiscondundedName是强制性的。杰出的名称是对象的
descontedname属性,这就是为什么卢克建议您使用AD Explorer浏览到目录中的对象并检查DiscondundedName的值属性。 DN是通用名称(CN),每个组织单元(OU)和域DNS名称(例如Stackoverflow.com)的串联分为每个域组件(DC)。看起来像这样:格式
stackoverflow \ itops是域的短名称(正式称为netbios名称),与对象的samacCountName属性结合使用。这种格式通常用于用户帐户进行认证,但不能在LDAP路径中使用。如果您将此组硬编码为代码,则只需查找
DiscondundedName并使用它。如果您将获得用户的stackoverflow \ itops格式,并且需要绑定到它,则可以:iadneametranslate从ads_name_name_name_type_nt4 ads_name_type_1779,或(samacCountName = itops)在域上执行搜索。要在C ++中执行LDAP搜索,请参阅文档的 idirectorySearch。您仍然必须提供搜索的LDAP路径,但是您只需提供域DNS名称(例如ldap://stackoverflow.com)。这使您可以指定希望您返回的属性,因此您可以告诉它您需要DiscondundedName。或者,如果您与对象绑定的目的是读取其他属性,则可以指定这些属性并从搜索结果中读取这些属性,然后您可以跳过直接绑定到对象的下一步。似乎您打算使用C ++,但您没有具体说明。您正在使用C ++吗?
There are several unique identifiers for objects in AD, and they can't all be used in the same way, which makes things a bit confusing.
This is documentation you need for that path (which you already linked to): LDAP ADsPath
That shows that the LDAP path should look like:
The
HostName,PortNumberandDistinguishedNameare all optional, depending on what you're trying to do. If you need to bind to a specific object - which is what you're trying to do - then theDistinguishedNameis mandatory.The distinguished name is the
distinguishedNameattribute of the object, which is why Luke suggested that you use AD Explorer to browse to the object in your directory and inspect the value of thedistinguishedNameattribute. The DN is a concatenation of the common name (CN), each organizational unit (OU) and the domain DNS name (e.g. stackoverflow.com) split into each of its domain components (DC). That will look something like this:The format
STACKOVERFLOW\ITOpsis the domain's short name (officially called the NetBIOS name), combined with thesAMAccountNameattribute of the object. This format is often used for authenticating with user accounts, but cannot be used in an LDAP path.If you're hard coding this group into your code, then just look up the
distinguishedNameand use that. If you will be given theSTACKOVERFLOW\ITOpsformat by the user and need to bind to it, then you can either:IADsNameTranslateto translate fromADS_NAME_TYPE_NT4toADS_NAME_TYPE_1779, or(sAMAccountName=ITOps). To perform an LDAP search in C++, see the documentation forIDirectorySearch. You still have to provide an LDAP path for the search, but you can just provide the domain DNS name (e.g.LDAP://stackoverflow.com). That allows you to specify which attributes it wants you to return, so you can tell it that you want thedistinguishedName. Or if your purpose in binding to the object is to read some other attribute, then you can specify those attributes and read those attributes from the search result, and then you can skip the next step of binding directly to the object.It seems like you plan to use C++, but you didn't specifically say that. Are you using C++?