如何最好地在ASP.NET中递归查询AD组成员(使用vb)
如何最好地在ASP.NET中递归查询AD组成员(使用vb)
提问于 2012-10-24 23:52:33
我试图通过以下两种方式中的一种找到查询Active Directory的最简单方法:
- 给定AD用户名,查找用户所属的所有组(包括嵌套组)。
- 给定AD组名称,查找组中的所有用户(包括嵌套组中的用户)。
我的应用程序在v4.0框架上的VB.NET中。我审查了来自许多不同谷歌搜索结果的建议,其中一些使用了LDAP和System.DirectoryServices.DirectorySearcher (我认为这可能是最好的途径)。
但我正在旋转我的车轮,寻找代码样本。
谢谢。
更新:
我已经准备好了:
<add assembly="System.DirectoryServices, Version=3.5.0.0, etc."/>
<add namespace="System.DirectoryServices.AccountManagement" />或Imports System.DirectoryServices.AccountManagement
在这一行代码中:
Dim ctx As New PrincipalContext(ContextType.Domain)
我仍然得到这个错误:没有定义'PrincipalContext‘类型
当您提到"using语句“时,我假设您的意思是我需要引用这个名称空间。或者你是说我应该做这样的事?
Using ctx As New PrincipalContext(ContextType.Domain)
回答 3
Stack Overflow用户
回答已采纳
发布于 2012-12-17 10:14:58
一个完整的例子
此代码将通过枚举给定的组名列出组和子组中的所有用户。此外,如果启用/禁用了用户帐户。
要使用,只需调用ListADGroupMembers("Some_Group_Name")即可。这将将用户全名和移动号码填充到一个数组中,然后您可以遍历该数组。
很简单,只要读一遍就行了。
Public ADUSers(,) As String
Public n As Integer = 0
Public Sub ListADGroupMembers(ByVal GN As String)
Dim DirectoryRoot As New DirectoryEntry("LDAP://RootDSE")
Dim DNC = DirectoryRoot.Properties("DefaultNamingContext")(0).ToString()
Dim GroupName As String = GN '"G_All_IT_Users"
Dim GroupMembers As System.Collections.Specialized.StringCollection = GetGroupMembers(DNC, GroupName)
'Dim GroupMembersMobile As System.Collections.Specialized.StringCollection = GetGroupMembers(DNC, GroupName)
' For Each Member As String In GroupMembers
' ListBox1.Items.Add(Member)
'Next Member
End Sub
Public Function GetGroupMembers(ByVal strDomain As String, ByVal strGroup As String) As System.Collections.Specialized.StringCollection
Dim GroupMembers As New System.Collections.Specialized.StringCollection()
Try
Dim DirectoryRoot As New DirectoryEntry("LDAP://" & strDomain)
Dim DirectorySearch As New DirectorySearcher(DirectoryRoot, "(CN=" & strGroup & ")")
Dim DirectorySearchCollection As SearchResultCollection = DirectorySearch.FindAll()
For Each DirectorySearchResult As SearchResult In DirectorySearchCollection
Dim ResultPropertyCollection As ResultPropertyCollection = DirectorySearchResult.Properties
Dim GroupMemberDN As String
For Each GroupMemberDN In ResultPropertyCollection("member")
Dim DirectoryMember As New DirectoryEntry("LDAP://" & GroupMemberDN)
Dim DirectoryMemberProperties As System.DirectoryServices.PropertyCollection = DirectoryMember.Properties
Dim DirectoryItem As Object = DirectoryMemberProperties("sAMAccountName").Value
Dim DirectoryPhone As Object = DirectoryMemberProperties("mobile").Value
Dim uac As Object = DirectoryMemberProperties("userAccountControl").Value
If DirectoryMember.SchemaClassName = "group" Then
' this is a group.
ListADGroupMembers(DirectoryItem)
End If
If DirectoryMember.SchemaClassName = "user" Then
' this is a user.
If Nothing IsNot DirectoryItem Then
If AccEnabled(uac) = 1 Then ' check the ad account is enabled
GroupMembers.Add(DirectoryItem.ToString())
ListBox1.Items.Add(DirectoryItem.ToString() & " " & DirectoryPhone)
ADUSers(0, n) = DirectoryItem.ToString()
ADUSers(1, n) = DirectoryPhone
n += 1
ReDim Preserve ADUSers(1, n)
End If
End If
End If
Next GroupMemberDN
Next DirectorySearchResult
Catch ex As Exception
MsgBox(ex.Message)
End Try
Return GroupMembers
End Function
' check account is active or not.
Function AccEnabled(ByVal uac As String) As String
Dim aret As Integer = 0
Select Case uac
Case 512 'Enabled
aret = 1
Case 514 ': ACCOUNTDISABLE()
aret = 0
Case 528 ': Enabled(-LOCKOUT)
aret = 1
Case 530 ': ACCOUNTDISABLE(-LOCKOUT)
aret = 0
Case 544 ': Enabled(-PASSWD_NOTREQD)
aret = 1
Case 546 ': ACCOUNTDISABLE(-PASSWD_NOTREQD)
aret = 0
Case 560 ': Enabled(-PASSWD_NOTREQD - LOCKOUT)
aret = 1
Case 640 ': Enabled(-ENCRYPTED_TEXT_PWD_ALLOWED)
aret = 1
Case 2048 ' : INTERDOMAIN_TRUST_ACCOUNT()
aret = 1
Case 2080 ': INTERDOMAIN_TRUST_ACCOUNT(-PASSWD_NOTREQD)
aret = 1
Case 4096 ': WORKSTATION_TRUST_ACCOUNT()
aret = 1
Case 8192 ': SERVER_TRUST_ACCOUNT()
aret = 1
Case 66048 ': Enabled(-DONT_EXPIRE_PASSWORD)
aret = 1
Case 66050 ': ACCOUNTDISABLE(-DONT_EXPIRE_PASSWORD)
aret = 0
Case 66064 ': Enabled(-DONT_EXPIRE_PASSWORD - LOCKOUT)
aret = 1
Case 66066 ': ACCOUNTDISABLE(-DONT_EXPIRE_PASSWORD - LOCKOUT)
aret = 0
Case 66080 ': Enabled(-DONT_EXPIRE_PASSWORD - PASSWD_NOTREQD)
aret = 1
Case 66082 ': ACCOUNTDISABLE(-DONT_EXPIRE_PASSWORD - PASSWD_NOTREQD)
aret = 0
Case 66176 ': Enabled(-DONT_EXPIRE_PASSWORD - ENCRYPTED_TEXT_PWD_ALLOWED)
aret = 1
Case 131584 ': Enabled(-MNS_LOGON_ACCOUNT)
aret = 1
Case 131586 ': ACCOUNTDISABLE(-MNS_LOGON_ACCOUNT)
aret = 0
Case 131600 ': Enabled(-MNS_LOGON_ACCOUNT - LOCKOUT)
aret = 1
Case 197120 ': Enabled(-MNS_LOGON_ACCOUNT - DONT_EXPIRE_PASSWORD)
aret = 1
Case 532480 'SERVER_TRUST_ACCOUNT - TRUSTED_FOR_DELEGATION (Domain Controller)
aret = 1
Case 1049088 ': Enabled(-NOT_DELEGATED)
aret = 1
Case 1049090 ': ACCOUNTDISABLE(-NOT_DELEGATED)
aret = 0
Case 2097664 ': Enabled(-USE_DES_KEY_ONLY)
aret = 1
Case 2687488 ': Enabled(-DONT_EXPIRE_PASSWORD - TRUSTED_FOR_DELEGATION - USE_DES_KEY_ONLY)
aret = 1
Case 4194816 ': Enabled(-DONT_REQ_PREAUTH)
aret = 1
Case Else
aret = 0
End Select
AccEnabled = aret
End FunctionStack Overflow用户
发布于 2012-10-25 04:55:47
试试这个:
' set up domain context
Dim ctx As New PrincipalContext(ContextType.Domain)
' find a user
Dim user As UserPrincipal = UserPrincipal.FindByIdentity(ctx, "SomeUserName")
If user IsNot Nothing Then
Dim groupMemberships = user.GetAuthorizationGroups()
' do something with group....
For Each gp As GroupPrincipal In groupMemberships
Next
End If您应该签出System.DirectoryServices.AccountManagement (S.DS.AM)命名空间。在这里读到所有的内容:
新的S.DS.AM使得在AD中与用户和组玩真的很容易!
.GetAuthorizationGroups()方法将执行递归搜索,因此您应该直接或间接地获取用户所属的所有组。
Stack Overflow用户
发布于 2013-10-16 13:34:07
Imports System.Security.Principal
Private Function GetGroups(userName As String) As List(Of String)
Dim result As New List(Of String)
Dim wi As WindowsIdentity = New WindowsIdentity(userName)
For Each group As IdentityReference In wi.Groups
Try
result.Add(group.Translate(GetType(NTAccount)).ToString())
Catch ex As Exception
End Try
Next
result.Sort()
Return result
End Function所以只需使用GetGroups("userID")即可。由于此方法使用用户的SID,因此不执行显式LDAP调用。如果您使用自己的用户名,它将使用缓存的凭据,因此此函数非常快速。
尝试捕获是必要的,因为在大公司中,AD太大了,以至于一些小岛屿发展中国家在太空中迷路了。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/13059616
复制相关文章
相似问题
腾讯云开发者
