windows 通过 C# 确定本地组的成员
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/45437/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Determining members of local groups via C#
提问by ljs
I wondered whether anybody knows how to obtain membership of local groups on a remote server programmatically via C#. Would this require administrator permissions? And if so is there any way to confirm the currently logged in user's membership (or not) of these groups?
我想知道是否有人知道如何通过 C# 以编程方式获取远程服务器上本地组的成员资格。这需要管理员权限吗?如果是这样,有什么方法可以确认当前登录用户的这些组的成员身份(或不是)?
回答by Espo
Howto: (Almost) Everything In Active Directory via C#is very helpfull and also includes instructions on how to iterate AD members in a group.
操作方法:(几乎)Active Directory 中的所有内容通过 C#都非常有用,还包括有关如何迭代组中的 AD 成员的说明。
public ArrayList Groups(string userDn, bool recursive)
{
ArrayList groupMemberships = new ArrayList();
return AttributeValuesMultiString("memberOf", userDn,
groupMemberships, recursive);
}
You will also need this function:
您还将需要此功能:
public ArrayList AttributeValuesMultiString(string attributeName,
string objectDn, ArrayList valuesCollection, bool recursive)
{
DirectoryEntry ent = new DirectoryEntry(objectDn);
PropertyValueCollection ValueCollection = ent.Properties[attributeName];
IEnumerator en = ValueCollection.GetEnumerator();
while (en.MoveNext())
{
if (en.Current != null)
{
if (!valuesCollection.Contains(en.Current.ToString()))
{
valuesCollection.Add(en.Current.ToString());
if (recursive)
{
AttributeValuesMultiString(attributeName, "LDAP://" +
en.Current.ToString(), valuesCollection, true);
}
}
}
}
ent.Close();
ent.Dispose();
return valuesCollection;
}
If you do now want to use this AD-method, you could use the info in this article, but it uses unmanaged code:
如果您现在想使用这种 AD 方法,您可以使用本文中的信息,但它使用非托管代码:
http://www.codeproject.com/KB/cs/groupandmembers.aspx
http://www.codeproject.com/KB/cs/groupandmembers.aspx
The sample application that they made:
他们制作的示例应用程序:
回答by ljs
It appears there is a new Assembly in .net 3.5 called System.DirectoryServices.AccountManagement which gives a cleaner implementation than System.DirectoryServices. Dominick Baier blogs abouta couple of simple operations including checking membership of a group:-
.net 3.5 中似乎有一个名为 System.DirectoryServices.AccountManagement 的新程序集,它提供了比 System.DirectoryServices 更清晰的实现。Dominick Baier 在博客中介绍了一些简单的操作,包括检查组的成员身份:-
public static bool IsUserInGroup(string username, string groupname, ContextType type)
{
PrincipalContext context = new PrincipalContext(type);
UserPrincipal user = UserPrincipal.FindByIdentity(
context,
IdentityType.SamAccountName,
username);
GroupPrincipal group = GroupPrincipal.FindByIdentity(
context, groupname);
return user.IsMemberOf(group);
}
I think I will use this approach, thanks for the suggestions though however! :-)
我想我会使用这种方法,但感谢您的建议!:-)
回答by quux
I asked a similar question, and ended up writing an answerwhich used WMI to enum the group members. I had real problems with authentication in the system.directoryservices.accountmanagement stuff. YMMV, of course.
我问了一个类似的问题,最后写了一个使用 WMI 枚举组成员的答案。我在 system.directoryservices.accountmanagement 东西中遇到了身份验证问题。YMMV,当然。
回答by fuzzbone
I'd be curious if the System.DirectoryServices.AccountManagement is fully managed. I've used System.DirectoryServices.ActiveDirectory which is a wrapper for COM Interop which has led to many headaches...
我很好奇 System.DirectoryServices.AccountManagement 是否完全托管。我使用了 System.DirectoryServices.ActiveDirectory,它是 COM Interop 的包装器,这导致了许多令人头疼的问题......
回答by Jon DellOro
This may possibly help. I had to develop an app where we want to authenticate against active directory, and also examine the groups strings that the user is in.
这可能会有所帮助。我必须开发一个应用程序,我们要在其中对活动目录进行身份验证,并检查用户所在的组字符串。
For a couple of reasons we don't want to use windows authentication, but rather have our own forms based authentication. I developed the routine below to firstly authenticate the user, and secondly examine all the groups that the user belongs to. Perhaps it may help. The routine uses LogonUser to authenticate, and then gets the list of numerical guid-like group ids (SIDs) for that user, and translates each one to a human readable form.
出于多种原因,我们不想使用 Windows 身份验证,而是使用我们自己的基于表单的身份验证。我开发了下面的例程,首先对用户进行身份验证,然后检查用户所属的所有组。也许它可能会有所帮助。该例程使用 LogonUser 进行身份验证,然后获取该用户的类似 guid 的数字组 ID (SID) 列表,并将每个组 ID 转换为人类可读的形式。
Hope this helps, I had to synthesise this approach from a variety of different google searches.
希望这会有所帮助,我不得不从各种不同的谷歌搜索中综合这种方法。
private int validateUserActiveDirectory()
{
IntPtr token = IntPtr.Zero;
int DBgroupLevel = 0;
// make sure you're yourself -- recommended at msdn http://support.microsoft.com/kb/248187
RevertToSelf();
if (LogonUser(txtUserName.Value, propDomain, txtUserPass.Text, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, token) != 0) {
// ImpersonateLoggedOnUser not required for us -- we are not doing impersonated stuff, but leave it here for completeness.
//ImpersonateLoggedOnUser(token);
// do impersonated stuff
// end impersonated stuff
// ensure that we are the original user
CloseHandle(token);
RevertToSelf();
System.Security.Principal.IdentityReferenceCollection groups = Context.Request.LogonUserIdentity.Groups;
IdentityReference translatedGroup = default(IdentityReference);
foreach (IdentityReference g in groups) {
translatedGroup = g.Translate(typeof(NTAccount));
if (translatedGroup.Value.ToLower().Contains("desired group")) {
inDBGroup = true;
return 1;
}
}
}
else {
return 0;
}
}
回答by Patrik Svensson
Perhaps this is something that can be done via WMI?
也许这是可以通过 WMI 完成的事情?
