3

我正在尝试增强我的代码,以确定用户是否是给定 AD 组的成员。它基本上可以工作,除非该组的成员碰巧来自另一个(受信任的)域,因为它被存储为 foreignsecurityprincipal。

鉴于我对要测试的组和要检查的帐户都有一个有效的 DirectoryEntry 对象,我需要一个 DirectorySearcher 过滤器字符串,它允许我确认该帐户在该组中,即使该帐户是外国安全负责人。

(演示问题的 VB.NET 代码示例)

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher(ContainerGroup, "(WHATCANIPUTINHERE)", New String() {"member;Range=0-5000"}, SearchScope.Base)
DSearcher.AttributeScopeQuery = "member"

'If an object is found, the account was in the group
Return (DSearcher.FindOne() IsNot Nothing)
4

1 回答 1

1

好的。找到了。这是诀窍。

我正在尝试增强我的代码,以确定用户是否是给定 AD 组的成员。它基本上可以工作,除非该组的成员碰巧来自另一个(受信任的)域,因为它被存储为 foreignsecurityprincipal。

(VB.NET 代码示例)

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher
Dim DSearcher As New DirectorySearcher(ContainerGroup, getLDAPQueryStringUsingSID(containedGroup), New String() {"member;Range=0-5000"}, SearchScope.Base)

Return (DSearcher.FindOne() IsNot Nothing) 


** Helper Methods **

Private Function getLDAPQueryStringUsingSID(ByVal DEObject As DirectoryEntry) As String            
  Return "(objectSid=" + getSDDLSidForDirectoryEntry(DEObject) + ")"
End Function

Private Function getSDDLSidForDirectoryEntry(ByVal DEObject As DirectoryEntry) As String
      Dim bytes As Byte() = CType(DEObject.Properties("objectSid").Value, Byte())
      Dim sid As New System.Security.Principal.SecurityIdentifier(bytes, 0)
      Return sid.ToString
End Function
于 2008-12-16T23:18:24.903 回答