特定 Active Directory 通讯组中的用户列表

问题描述

我正在尝试从 Active Directory 组中获取用户列表和有关该用户的一些属性.

I'm trying to get a list of users and some properties about the user from within an active directory group.

更新:

这是我目前拥有的两种方法:

Here are the two methods I currently have:

    Dim adGroup As New DirectoryEntry("LDAP://CN=MyGroup,OU=Groups,OU=Accounts,OU=All,DC=domain,DC=com")
    Dim adMembers As Object
    Dim objUser As ActiveDirectoryUser
    Dim objUserList As New List(Of ActiveDirectoryUser)
    Dim directoryEntry As DirectoryEntry

    adMembers = adGroup.Invoke("Members", Nothing)

    For Each adMember As Object In CType(adMembers, IEnumerable)
        directoryEntry = New DirectoryEntry(adMember)
        objUser = New ActiveDirectoryUser

        objUser.UserId = directoryEntry.Properties.Item("sAMAccountName").Value.ToString()
        objUser.Contract = directoryEntry.Properties.Item("ou").Value.ToString()
        objUser.LastName = directoryEntry.Properties.Item("sn").Value.ToString()
        objUser.FirstName = directoryEntry.Properties.Item("givenName").Value.ToString()
        objUser.Email = directoryEntry.Properties.Item("mail").Value.ToString()

        objUserList.Add(objUser)
    Next

第一部分有效，但似乎效率很低.我的内存使用量在执行时不断攀升，我得到了 this 错误，虽然看起来可以修复.第二种方法:

The first piece works, though it seems quite inefficient. My memory usage climbs and climbs as it's executing and I was getting this error, though it looks like that can be fixed. The second method:

    Dim results As SearchResultCollection
    Dim directoryEntry2 As New DirectoryEntry("LDAP://DC=domain,DC=com")
    Dim directorySearcher As New DirectorySearcher(directoryEntry2)
    directorySearcher.PageSize = 1000

    directorySearcher.Filter = "(&(objectCategory=person)" & _
                           "(objectClass=user)" & _
                           "(memberOf=CN=MyGroup,OU=Groups,OU=Accounts,OU=All,DC=domain,DC=com))"


    directorySearcher.PropertiesToLoad.Add("ou")
    directorySearcher.PropertiesToLoad.Add("sn")
    directorySearcher.PropertiesToLoad.Add("givenName")
    directorySearcher.PropertiesToLoad.Add("sAMAccountName")
    directorySearcher.PropertiesToLoad.Add("mail")

    results = directorySearcher.FindAll

结果计数似乎因应用程序的每次执行而异，我觉得这很奇怪.我不确定这是否是让用户回来的可靠方法，或者我是否需要修改搜索内容?

The result count seems to vary from each execution of the application which I find odd. I'm not sure if this is a reliable way of getting the users back or if I need to modify something on my search?

推荐答案

如果可以，请升级到 .NET 3.5 并使用全新改进的 System.DirectoryServices.AccountManagement 命名空间.在 Managing Directory Security Principals in the .NET Framework 3.5 中可以找到这些新类的精彩介绍.

IF you can, do upgrade to .NET 3.5 and use the new much improved System.DirectoryServices.AccountManagement namespace. Great intro for those new classes is found in Managing Directory Security Principals in the .NET Framework 3.5.

有了这个，你的工作就变得微不足道了:

With this, your job becomes trivial:

PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "YOURDOMAIN");
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "MyGroup");
PrincipalSearchResult<Principal> members = group.GetMembers();

这对你有用吗?

如果您不能使用 .NET 3.5，您应该检查组的 member 属性.组成员在层次结构中不存储在组的逻辑之下，因此您无法使用 DirectorySearcher 找到它们.

If you cannot use .NET 3.5, you should inspect the member property of the group. The group members are not stored as children logically underneath the group in hierarchy, so you cannot find them by using a DirectorySearcher.

DirectoryEntry group = new DirectoryEntry("LDAP://CN=MyGroup,OU=Groups,OU=All,DC=Domain,DC=com");

foreach(object groupMemberDN in group.Properties["member"])
{
   // grab the group member's DN
}

请参阅 Active Directory 的C# 代码示例快速列表(或对于此代码段的 MSDN 库中的 Visual Basic .NET) 相同更多.

See the Quick List of C# Code Examples for Active Directory (or the same for Visual Basic .NET) in the MSDN library for this snippet and more.

更新:如果您需要属于特定组的用户(因为您想更新他们的属性或其他内容)，您可以反转方法:搜索所有具有与组的 DN 等效的 memberOf 属性的用户:

Update: if you need the users belonging to a particular group (since you want to update their properties or something), you could reverse the approach: search for all the users who have a memberOf property equivalent to the group's DN:

 DirectoryEntry root = new DirectoryEntry("LDAP://dc=domain,dc=com");
 DirectorySearcher searcher = new DirectorySearcher(root);

 searcher.Filter = "(&(objectCategory=user)(memberOf=CN=MyGroup,OU=Groups,OU=All,DC=Domain,DC=com))";
 // set other properties on the searcher

 foreach(object result in searcher.FindAll())
 {
    // do whatever you need to do with the entry
 }

这篇关于特定 Active Directory 通讯组中的用户列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！