我需要一种方法来查看用户是否是我的 .Net 3.5 asp.net c# 应用程序中活动目录组的一部分。
我正在使用 msdn 的标准 ldap 身份验证示例,但我真的不知道如何检查组。
问问题
88770 次
15 回答
41
使用 3.5 和System.DirectoryServices.AccountManagement这有点干净:
public List<string> GetGroupNames(string userName)
{
var pc = new PrincipalContext(ContextType.Domain);
var src = UserPrincipal.FindByIdentity(pc, userName).GetGroups(pc);
var result = new List<string>();
src.ToList().ForEach(sr => result.Add(sr.SamAccountName));
return result;
}
于 2010-02-03T01:01:56.073 回答
20
Nick Craver 的解决方案在 .NET 4.0 中对我不起作用。我收到有关已卸载 AppDomain 的错误。我没有使用它,而是使用了它(我们只有一个域)。这将检查组组以及直接组成员身份。
using System.DirectoryServices.AccountManagement;
using System.Linq;
...
using (var ctx = new PrincipalContext(ContextType.Domain, yourDomain)) {
using (var grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, yourGroup)) {
bool isInRole = grp != null &&
grp
.GetMembers(true)
.Any(m => m.SamAccountName == me.Identity.Name.Replace(yourDomain + "\\", ""));
}
}
于 2010-06-14T17:35:45.087 回答
16
下面的代码将在 .net 4.0 中工作
private static string[] GetGroupNames(string userName)
{
List<string> result = new List<string>();
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "YOURDOMAIN"))
{
using (PrincipalSearchResult<Principal> src = UserPrincipal.FindByIdentity(pc, userName).GetGroups(pc))
{
src.ToList().ForEach(sr => result.Add(sr.SamAccountName));
}
}
return result.ToArray();
}
于 2011-12-08T14:09:34.003 回答
11
最简单的解决方案
PrincipalContext pc = new PrincipalContext((Environment.UserDomainName == Environment.MachineName ? ContextType.Machine : ContextType.Domain), Environment.UserDomainName);
GroupPrincipal gp = GroupPrincipal.FindByIdentity(pc, "{GroupName}");
UserPrincipal up = UserPrincipal.FindByIdentity(pc, Environment.UserName);
up.IsMemberOf(gp);
于 2013-03-20T22:44:15.173 回答
7
如果您尝试确定经过 Windows 身份验证的当前用户是否具有特定角色,此方法可能会有所帮助。
public static bool CurrentUserIsInRole(string role)
{
try
{
return System.Web.HttpContext.Current.Request
.LogonUserIdentity
.Groups
.Any(x => x.Translate(typeof(NTAccount)).ToString() == role);
}
catch (Exception) { return false; }
}
于 2013-09-06T17:18:23.050 回答
5
这取决于用户是否在 AD 组中的意思。在 AD 中,组可以是安全组或通讯组。即使对于安全组,它也取决于是否需要将“域用户”或“用户”等组包括在成员资格检查中。
IsUserInSecurityGroup 将仅检查安全组,并适用于主要组类型的组,如“域用户”和“用户”,而不是通讯组。它还将解决嵌套组的问题。IsUserInAllGroup 还将检查通讯组,但我不确定您是否会遇到权限问题。如果这样做,请使用 WAAG 中的服务帐户(请参阅 MSDN)
我不使用 UserPrincipal.GetAuthorizedGroups() 的原因是它有很多问题,例如要求调用帐户在 WAAG 中并且要求在 SidHistory 中没有条目(参见 David Thomas 的评论)
public bool IsUserInSecurityGroup(string user, string group)
{
return IsUserInGroup(user, group, "tokenGroups");
}
public bool IsUserInAllGroup(string user, string group)
{
return IsUserInGroup(user, group, "tokenGroupsGlobalAndUniversal");
}
private bool IsUserInGroup(string user, string group, string groupType)
{
var userGroups = GetUserGroupIds(user, groupType);
var groupTokens = ParseDomainQualifiedName(group, "group");
using (var groupContext = new PrincipalContext(ContextType.Domain, groupTokens[0]))
{
using (var identity = GroupPrincipal.FindByIdentity(groupContext, IdentityType.SamAccountName, groupTokens[1]))
{
if (identity == null)
return false;
return userGroups.Contains(identity.Sid);
}
}
}
private List<SecurityIdentifier> GetUserGroupIds(string user, string groupType)
{
var userTokens = ParseDomainQualifiedName(user, "user");
using (var userContext = new PrincipalContext(ContextType.Domain, userTokens[0]))
{
using (var identity = UserPrincipal.FindByIdentity(userContext, IdentityType.SamAccountName, userTokens[1]))
{
if (identity == null)
return new List<SecurityIdentifier>();
var userEntry = identity.GetUnderlyingObject() as DirectoryEntry;
userEntry.RefreshCache(new[] { groupType });
return (from byte[] sid in userEntry.Properties[groupType]
select new SecurityIdentifier(sid, 0)).ToList();
}
}
}
private static string[] ParseDomainQualifiedName(string name, string parameterName)
{
var groupTokens = name.Split(new[] {"\\"}, StringSplitOptions.RemoveEmptyEntries);
if (groupTokens.Length < 2)
throw new ArgumentException(Resources.Exception_NameNotDomainQualified + name, parameterName);
return groupTokens;
}
于 2013-01-30T21:07:55.757 回答
3
这似乎要简单得多:
public bool IsInRole(string groupname)
{
var myIdentity = WindowsIdentity.GetCurrent();
if (myIdentity == null) return false;
var myPrincipal = new WindowsPrincipal(myIdentity);
var result = myPrincipal.IsInRole(groupname);
return result;
}
于 2015-04-07T23:11:59.460 回答
3
这是我的 2 美分。
static void CheckUserGroup(string userName, string userGroup)
{
var wi = new WindowsIdentity(userName);
var wp = new WindowsPrincipal(wi);
bool inRole = wp.IsInRole(userGroup);
Console.WriteLine("User {0} {1} member of {2} AD group", userName, inRole ? "is" : "is not", userGroup);
}
于 2015-03-30T15:58:25.200 回答
2
于 2010-02-03T00:57:50.940 回答
2
您可以尝试以下代码:
public bool Check_If_Member_Of_AD_Group(string username, string grouptoCheck, string domain, string ADlogin, string ADpassword)
{
try {
string EntryString = null;
EntryString = "LDAP://" + domain;
DirectoryEntry myDE = default(DirectoryEntry);
grouptoCheck = grouptoCheck.ToLower();
myDE = new DirectoryEntry(EntryString, ADlogin, ADpassword);
DirectorySearcher myDirectorySearcher = new DirectorySearcher(myDE);
myDirectorySearcher.Filter = "sAMAccountName=" + username;
myDirectorySearcher.PropertiesToLoad.Add("MemberOf");
SearchResult myresult = myDirectorySearcher.FindOne();
int NumberOfGroups = 0;
NumberOfGroups = myresult.Properties["memberOf"].Count - 1;
string tempString = null;
while ((NumberOfGroups >= 0)) {
tempString = myresult.Properties["MemberOf"].Item[NumberOfGroups];
tempString = tempString.Substring(0, tempString.IndexOf(",", 0));
tempString = tempString.Replace("CN=", "");
tempString = tempString.ToLower();
tempString = tempString.Trim();
if ((grouptoCheck == tempString)) {
return true;
}
NumberOfGroups = NumberOfGroups - 1;
}
return false;
}
catch (Exception ex) {
System.Diagnostics.Debugger.Break();
}
//HttpContext.Current.Response.Write("Error: <br><br>" & ex.ToString)
}
于 2010-02-03T00:58:09.893 回答
1
布兰登约翰逊,喜欢它,我使用了你所拥有的,但做了以下改变:
private static string[] GetGroupNames(string domainName, string userName)
{
List<string> result = new List<string>();
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, domainName))
{
using (PrincipalSearchResult<Principal> src = UserPrincipal.FindByIdentity(principalContext, userName).GetGroups(principalContext))
{
src.ToList().ForEach(sr => result.Add(sr.SamAccountName));
}
}
return result.ToArray();
}
于 2012-08-07T13:04:50.940 回答
1
var context = new PrincipalContext(ContextType.Domain, {ADDomain}, {ADContainer});
var group = GroupPrincipal.FindByIdentity(context, IdentityType.Name, {AD_GROUP_NAME});
var user = UserPrincipal.FindByIdentity(context, {login});
bool result = user.IsMemberOf(group);
于 2016-09-14T13:54:46.517 回答
1
如果您想检查用户组成员资格,包括与用户父组间接链接的嵌套组,您可以尝试使用“tokenGroups”属性,如下所示:
使用 System.DirectoryServices
公共静态布尔 IsMemberOfGroupsToCheck(字符串 DomainServer,字符串 LoginID,字符串 LoginPassword)
{
string UserDN = "CN=John.Doe-A,OU=管理账户,OU=用户目录,DC=ABC,DC=com"
string ADGroupsDNToCheck = "CN=ADGroupTocheck,OU=管理组,OU=组目录,DC=ABC,DC=com";
字节[] sid,parentSID;
布尔检查 = 假;
DirectoryEntry parentEntry;
DirectoryEntry basechildEntry;
字符串 octetSID;
basechildEntry = new DirectoryEntry("LDAP://" + DomainServer + "/" + UserDN, LoginID, LoginPassword);
basechildEntry.RefreshCache(new String[] { "tokenGroups" });
parentEntry = new DirectoryEntry("LDAP://" + DomainServer + "/" + ADGroupsDNToCheck, LoginID, LoginPassword);
parentSID = (byte[])parentEntry.Properties["objectSID"].Value;
octetSID = ConvertToOctetString(parentSID, false, false);
foreach(basechildEntry.Properties["tokenGroups"] 中的对象 GroupSid)
{
sid = (byte[])GroupSid;
if (ConvertToOctetString(sid,false,false) == octetSID)
{
检查=真;
休息;
}
}
basechildEntry.Dispose();
parentEntry.Dispose();
退货支票;
}
于 2016-09-21T04:39:46.700 回答
1
如何检查用户是否在 AD 成员和特定的 AD 组成员中
//This Reference and DLL must be attach in your project
//using System.DirectoryServices.AccountManagement;
public bool IsAuthenticated(string username, string pwd)
{
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "xxx.com")) // Your Domain Name
{
if (pc.ValidateCredentials(username, password)) //User and Password is OK for Active Directory
{
UserPrincipal user = UserPrincipal.FindByIdentity(pc, username); //Get User Active Directory Information Details
if (user != null)
{
var groups = user.GetAuthorizationGroups(); // Get User Authorized Active Directory Groups
foreach (GroupPrincipal group in groups)
{
if (group.Name.Equals("SpecificActiveDirectoryGroupName")) //Check if user specific group members
{
return true;
}
}
}
}
}
return false;
}
于 2020-05-19T14:53:34.640 回答
0
这应该适用于 .NET 3.5+
// using System.DirectoryServices.AccountManagement;
public static bool IsUserMemberOfGroup(string username, string group)
{
using (var ctx = new PrincipalContext(ContextType.Domain))
using (var usr = UserPrincipal.FindByIdentity(ctx, username))
return usr.IsMemberOf(ctx, IdentityType.Name, group);
}
这类似于这里的很多答案,但是:
- 仅查找用户,然后仅使用其名称检查用户是否是组的成员(不需要查找组或遍历用户/组)
Disposes 对象(使用usings)
于 2020-12-09T16:57:23.217 回答