背景：

我一直在使用 UserPrincipal.GetAuthorizationGroups 有一段时间了，检查在2个不同的应用程序的权限。他们一直工作正常了好几年。最近一些用户已经获得的称号（ System.DirectoryServices.AccountManagement.PrincipalOperationException ），而其他没有提到的错误。我有一个怀疑，这可能与被添加在Windows Server 2012上运行，因为这些问题开始了一天之后加入一个新的域控制器。完整的错误如下：

I've been using UserPrincipal.GetAuthorizationGroups for a while now to check permissions in 2 different applications. They have been working fine for several years. Recently some users have been getting the error mentioned in the title (System.DirectoryServices.AccountManagement.PrincipalOperationException) while others have not. I have a suspicion that it might be related to a new domain controller that was added running on Windows Server 2012 because the problems started the day after it was added. The full error is listed below:

例外：

System.DirectoryServices.AccountManagement.PrincipalOperationException：   而枚举组时发生错误（1301）。该集团的   SID无法得到解决。

System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1301) occurred while enumerating the groups. The group's SID could not be resolved.

在System.DirectoryServices.AccountManagement.SidList.TranslateSids（字符串对象，IntPtr的[] pSids）   在System.DirectoryServices.AccountManagement.SidList..ctor（SID_AND_ATTR [] sidAndAttr）

at System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids) at System.DirectoryServices.AccountManagement.SidList..ctor(SID_AND_ATTR[] sidAndAttr)

在System.DirectoryServices.AccountManagement.AuthZSet..ctor（字节[] userSid，NetCred凭据，   ContextOptions contextOptions，串flatUserAuthority，StoreCtx userStoreCtx，对象userCtxBase）

at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)

在System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ ... P）

at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ...p)

在System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups

at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroups

问：

我该如何解决这个问题？

How do I fix this?

推荐答案

我发现使用替代 DirectorySearcher从：

var allDomains = Forest.GetCurrentForest().Domains.Cast<Domain>();

var allSearcher = allDomains.Select(domain =>
    {
      DirectorySearcher searcher = new DirectorySearcher(
        new DirectoryEntry("LDAP://" + domain.Name));

      searcher.Filter = String.Format(
        "(&(&(objectCategory=person)(objectClass=user)(userPrincipalName=*{0}*)))", 
        "Current User Login Name");

      return searcher;
    }
);

var directoryEntriesFound = 
allSearcher.SelectMany(searcher => 
                        searcher.FindAll()
                          .Cast<SearchResult>()
                          .Select(result => result.GetDirectoryEntry()));

var memberOf = directoryEntriesFound.Select(entry =>
    {
      using (entry)
      {
        return new
        {
          Name = entry.Name,
          GroupName = ((object[])entry.Properties["MemberOf"].Value)
                            .Select(obj => obj.ToString())
        };
      }
    }
);

foreach (var user in memberOf)
{
    foreach (var groupName in user.GroupName)
    {
      if (groupName.Contains("Group to Find"))
      {
        // Do something if the user is in that group
      }
    }
}