用户/组在Active Directory权限权限、用户、Active、Directory
我在哪里可以找到,做了以下的例子吗?
Where can I find an example that does the following?
拉从Active Directory用户。 获取用户的成员组。 获取分配给每个组的权限列表。这似乎是一个简单的任务,但我不能找到一个解决方案。
This seems like a simple task but I can't find a solution.
的总体目标是,以指定自定义权限,并利用它们在应用程序中控制权。
The overall goal is to assign custom permissions and use them to control rights within an application.
推荐答案
如果你在.NET 3.5及以上,你应该看看 System.DirectoryServices.AccountManagement (S.DS.AM)命名空间。阅读所有关于它的:
If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:
基本上,你可以定义域范围内,并很容易地找到在AD用户和/或组:
Basically, you can define a domain context and easily find users and/or groups in AD:
// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");
if(user != null)
{
// do something here....
}
// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");
// if found....
if (group != null)
{
// iterate over members
foreach (Principal p in group.GetMembers())
{
Console.WriteLine("{0}: {1}", p.StructuralObjectClass, p.DisplayName);
// do whatever you need to do to those members
}
}
新S.DS.AM使得它可以很容易地玩弄用户和组AD!
The new S.DS.AM makes it really easy to play around with users and groups in AD!
最后一点:权限。这些并不存储在Active Directory中 - 因此,你不能检索来自任何AD code
The last point: permissions. Those aren't stored in Active Directory - and therefore, you can't retrieve those from any AD code.
权限存储在单个文件系统项,例如文件和/或目录 - 或其它对象(如注册表项,等等)。当你有一个AD组或用户帐户,你可以阅读它的SID(安全标识符)属性 - 即SID将在ACL的(访问控制列表),显示了所有通过Windows - 但是从用户或组,有没有一种机制来获取所有权限,它可能在本机/服务器的任何地方。
Permissions are stored on the individual file system items, e.g. files and/or directories - or other objects (like registry keys, etc.). When you have an AD group or user account, you can read it's SID (Security Identifier) property - that SID will show up in ACL's (Access Control Lists) all over Windows - but from the user or group, there's no mechanism to get all permissions it might have anywhere in the machine/server.
权限的文件和目录可以如使用上的的FileInfo 和的DirectoryInfo 类:
Permissions for files and directories can e.g. be retrieved using the .GetAccessControl() method on the FileInfo and DirectoryInfo classes:
FileInfo info = new FileInfo(@"D:\test.txt");
FileSecurity fs = info.GetAccessControl();
DirectoryInfo dir = new DirectoryInfo(@"D:\test\");
DirectorySecurity ds = dir.GetAccessControl();
那些破译和决策意识是一个完全不同的故事干脆!
Deciphering and making sense of those is a whole different story altogether!
