开发者

Active Directory - Find a computer in a group

开发者 https://www.devze.com 2023-01-24 22:22 出处:网络
I am trying to do a very simple AD query to see if a computer is in a group. The following code seems intuitive enough but does not work. The LDAPString is a fully distinguised name for the group that

I am trying to do a very simple AD query to see if a computer is in a group. The following code seems intuitive enough but does not work. The LDAPString is a fully distinguised name for the group that the computer referenced by NetBIOSName is a memberOf.

public bool IsComputerInADGroup(String LDAPString, String NetBIOSName)
{
    using (Di开发者_C百科rectoryEntry entry = new DirectoryEntry(String.Format(@"LDAP://{0}", LDAPString)))
    using (DirectorySearcher computerSearch = new DirectorySearcher(entry))
    {
        ComputerSearch.Filter = String.Format("(&(objectCategory=computer)(CN={0}))", NetBIOSName);
        SearchResult match = ComputerSearch.FindOne();

        if (match != null)
        {
            return true;
        }
    }

    return false;
}

Can someone please explain why this is incorrect and what the correct/fastest way to to perform this search is.

Thanks P


Your basic assumption is wrong - a computer (or user) cannot be in a group implying "containment" inside a group; a user or computer is only inside an OU.

A user or computer can be member of any number of groups - but you need to check this against the member property of the group (or the memberOf attribute of the element that is a member of that group).

So the easiest way, really, is to

  • bind to the object in question
  • refresh its property cache to get the latest entries in memberOf
  • enumerate of its memberOf entries and see if the group you're looking for is present

Something like:

 public static bool IsAccountMemberOfGroup(string account, string group)
 {
    bool found = false;

    using (DirectoryEntry entry = new DirectoryEntry(account))
    {
        entry.RefreshCache(new string[] { "memberOf" });

        foreach (string memberOf in entry.Properties["memberOf"])
        {
           if (string.Compare(memberOf, group, true) == 0)
           {
              found = true;
              break;
           }
        }
    }

    return found;
 }

Call this like so:

bool isMemberOf = 
     IsAccountMemberOfGroup("LDAP://cn=YourComputer,dc=Corp,dc=com",
                            "CN=yourGroupInQuestion,OU=SomeOU,dc=corp,dc=com");

and you should be fine.

Update: if you're on .NET 3.5, you could also use the new System.DirectoryServices.AccountManagement namespace and LINQ to make things even easier:

public static bool IsAccountMemberOfGroup2(PrincipalContext ctx, string account, string groupName)
{
   bool found = false; 
   GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, groupName);

   if (group != null)
   {
      found = group.GetMembers()
                 .Any(m => string.Compare(m.DistinguishedName, account, true) == 0);
   }

   return found;
}

and call this:

// establish default domain context    
PrincipalContext domain = new PrincipalContext(ContextType.Domain);

// call your function
bool isMemberOf = 
   IsAccountMemberOfGroup2(domain, 
                           "cn=YourComputer,dc=Corp,dc=com",
                           "CN=yourGroupInQuestion,OU=SomeOU,dc=corp,dc=com");


when you say it doesn't work, you mean that you can't find the computer? If so, check first if the computer is in the group, there is a nice tool out there named Active directory exporer wich can help you: http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx If it is in the group what you can try is to eliminate the filter for the computer name on the filter and iterate over the resultset in order to find out if your element is there:

ComputerSearch.Filter = ("(&(objectCategory=computer))";
    SearchResult match = ComputerSearch.FindAll();

Here's some infos on how to query AD : http://www.codeproject.com/KB/system/everythingInAD.aspx

0

精彩评论

暂无评论...
验证码 换一张
取 消