我正在尝试使用以下代码获取用户的所有Active Directory组:
private static IEnumerable<string> GetGroupNames(string userName)
{
using (var context = new PrincipalContext(ContextType.Domain))
{
using (var userPrincipal = UserPrincipal.FindByIdentity(context, userName))
{
var groupSearch = userPrincipal.GetGroups(context);
var result = new List<string>();
foreach (var principal in groupSearch)
{
Log.LogDebug("User {0} is member of group {0}", userPrincipal.DisplayName, principal.DisplayName);
result.Add(principal.SamAccountName);
}
return result;
}
}
}
此代码正确查找用户主体,但在使用PrincipalOperationException调用GetGroups时失败:未知错误(0x80005000).
根异常:
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOf(Principal foreignPrincipal, StoreCtx foreignContext)
at System.DirectoryServices.AccountManagement.Principal.GetGroupsHelper(PrincipalContext contextToQuery)
at System.DirectoryServices.AccountManagement.Principal.GetGroups(PrincipalContext contextToQuery)
at [line of the GetGroup call]
内部异常(COMException):
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject() …所以我对活动目录中的递归组有疑问.我有一个方法来检查用户ID是否在组中.效果很好.今天发现它不检查递归组成员资格,我不太确定如何(或者如果)有办法做到这一点.这是我到目前为止非递归的内容:
public static bool CheckGroupMembership(string userID, string groupName, string Domain)
{
bool isMember = false;
PrincipalContext ADDomain = new PrincipalContext(ContextType.Domain, Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(ADDomain, userID);
if (user.IsMemberOf(ADDomain, IdentityType.Name, groupName.Trim()))
{
isMember = true;
}
return isMember;
}
我已经看到了一些关于目录搜索器的东西,但我对直接使用AD有些新意,虽然我理解了这些概念,但其他一些东西对我来说仍然有点遗失.
谢谢!
我正在使用Active Directory对Intranet站点的用户进行身份验证.我想根据他们在Active Directory中的组来优化经过身份验证的用户.有人可以向我展示或指出如何在ASP.NET 4.0(VB)中找到用户所在的组的方向吗?