Programatically or Manually?

以编程方式还是手动方式？

Manually, i prefer AdExplorer, which is a nice Active directory Browser. You just connect to your domain controller and then you can look for the user and see all the details. Of course, you need permissions on the Domain Controller, not sure which though.

手动而言，我更喜欢AdExplorer，它是一个不错的 Active Directory 浏览器。您只需连接到域控制器，然后就可以查找用户并查看所有详细信息。当然，您需要域控制器的权限，但不确定是什么。

Programatically, it depends on your language of couse. On .net, the System.DirectoryServicesNamespace is your friend. (I don't have any code examples here unfortunately)

以编程方式，这取决于您的语言。在 .net 上，System.DirectoryServices命名空间是您的朋友。（不幸的是，我这里没有任何代码示例）

For Active Directory, I'm not really an expert apart from how to query it, but here are two links I found useful:

对于 Active Directory，除了如何查询之外，我并不是真正的专家，但这里有两个我觉得有用的链接：

http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

http://en.wikipedia.org/wiki/Active_Directory(General stuff about the Structure of AD)

http://en.wikipedia.org/wiki/Active_Directory（关于 AD 结构的一般内容）

You need to go to the Active Directory Users Snap In after logging in as a domain admin on the machine:

在机器上以域管理员身份登录后，您需要转到 Active Directory 用户管理单元：

1. Go to start --> run and type in mmc.
2. In the MMC console go to File -->
3. Add/Remove Snap-In Click Add Select
4. Active Directory Users and Computers and select Add.
5. Hit Close and then hit OK.

1. 转到开始 --> 运行并输入 mmc。
2. 在 MMC 控制台中转到文件 -->
3. 添加/删除管理单元单击添加选择
4. Active Directory 用户和计算机，然后选择添加。
5. 点击关闭，然后点击确定。

From here you can expand the domain tree and search (by right-clicking on the domain name).

从这里您可以展开域树并进行搜索（通过右键单击域名）。

You may not need special privileges to view the contents of the Active Directory domain, especially if you are logged in on that domain. It is worth a shot to see how far you can get.

您可能不需要特殊权限即可查看 Active Directory 域的内容，尤其是当您登录到该域时。值得一试，看看你能走多远。

When you search for someone, you can select the columns from View --> Choose Columns. This should help you search for the person or group you are looking for.

当您搜索某人时，您可以从查看 --> 选择列中选择列。这应该可以帮助您搜索您正在寻找的人或组。

You do not need domain admin rights to lookat the active directory. By default, any (authenticated?) user can read the information that you need from the directory.

您不需要域管理员权限即可查看活动目录。默认情况下，任何（经过身份验证的？）用户都可以从目录中读取您需要的信息。

If that wasn't the case, for example, a computer (which has an associated account as well) could not verify the account and password of its user.

如果不是这种情况，例如，计算机（也有关联的帐户）无法验证其用户的帐户和密码。

You only need admin rights to changethe contents of the directory.

您只需要管理员权限即可更改目录的内容。

I think it is possible to set more restricted permissions, but that's not likely the case.

我认为可以设置更多受限制的权限，但事实并非如此。

Install the "Windows Support Tools" that is on the Windows Server CD (CD 1 if it's Windows 2003 R2). If your CD/DVD drive is D: then it will be in D:\Support\Tools\SuppTools.msi

安装 Windows Server CD（如果是 Windows 2003 R2 则为 CD 1）上的“Windows 支持工具”。如果您的 CD/DVD 驱动器是 D: 那么它将位于 D:\Support\Tools\SuppTools.msi

This gives you a couple of additional tools to "get at" AD: LDP.EXE - good for reading information in AD, but the UI kinda stinks. ADSI Edit - another snap-in for MMC.EXE that you can both browse AD with and get to all those pesky AD attributes you're looking for.

这为您提供了一些额外的工具来“了解” AD： LDP.EXE - 适合阅读 AD 中的信息，但 UI 有点糟糕。ADSI Edit - MMC.EXE 的另一个管理单元，您可以使用它浏览 AD 并获取您正在寻找的所有那些讨厌的 AD 属性。

You can install these tools on your local workstation and access AD from there without domain admin privileges. If you can log on to the domain, you can at least query/read AD for this information.

您可以在本地工作站上安装这些工具并从那里访问 AD，而无需域管理员权限。如果可以登录域，则至少可以查询/读取 AD 以获取此信息。

OU is an Organizational Unit (sort of like a Subfolder in Explorer), not a Group, Hence group1, 2 and 3 are not actually groups.

OU 是一个组织单位（有点像资源管理器中的子文件夹），而不是一个组，因此 group1、2 和 3 实际上不是组。

You are looking for the DN Attribute, also called "distinguishedName". You can simply use DOMAIN\DN once you have that.

您正在寻找 DN 属性，也称为“distinguishedName”。一旦你有了它，你就可以简单地使用 DOMAIN\DN。

Edit: For groups, the CN (Common Name) could also work.

编辑：对于组，CN（通用名称）也可以使用。

The full string from Active Directory normally looks like this:

Active Directory 中的完整字符串通常如下所示：

cn=Username,cn=Users,dc=DomainName,dc=com

cn=用户名,cn=用户,dc=域名,dc=com

(Can be longer or shorter, but the important bit is that the "ou" part is worthless for what you're trying to achieve.

（可以更长或更短，但重要的是“ou”部分对于您要实现的目标毫无价值。

Thanks adeel825 & Michael Stum.

感谢 adeel825 和迈克尔·斯图姆。

My problem is, though, i'm in a big corporation and do not have access to log in as the domain admin nor to view the active directory, so i guess my solution is to try and get that level of access.

不过，我的问题是，我在一家大公司工作，无权以域管理员身份登录，也无权查看活动目录，所以我想我的解决方案是尝试获得该级别的访问权限。

Well, AdExplorer runs on your Local Workstation (which is why I prefer it) and I believe that most users have read access to AD anyway because that's actually required for stuff to work, but I'm not sure about that.

好吧，AdExplorer 在您的本地工作站上运行（这就是我喜欢它的原因），而且我相信大多数用户无论如何都拥有对 AD 的读取权限，因为这实际上是工作所需的，但我不确定这一点。