我想基于从ActiveDirectory中组成员身份来获得用户的详细信息。这个工作在我的本地机器，而不是当我在服务器上运行它。

我不明白的是，它会返回正确的组成员的数量（虽然它是在一个特定的方式，请参阅code注释），但成员没有任何细节群组。我结束了一个[DirectoryServicesCOMException（0x80072020）：出现操作错误。]无论我做什么

  //的DirectoryEntry目录项=新的DirectoryEntry（LDAP：//域）; //仅在本地
的DirectoryEntry目录项=新的DirectoryEntry（LDAP：//域，账户，密码）; //工作在本地和服务器上

DirectorySearcher从DSearcher =新DirectorySearcher从（）;
DSearcher.SearchRoot =目录项;
DSearcher.Filter =（及（对象类=组）（CN =组名））;
信息搜索结果SResult = DSearcher.FindOne（）;
的DirectoryEntry DEGroup =新的DirectoryEntry（SResult.Path）;
System.DirectoryServices.PropertyCollection PCollection = DEGroup.Properties;

//Label1.Text = PCollection [成员] Count.ToString（）。 //仅在本地
Label1.Text = SResult.GetDirectoryEntry（）属性[成员] Count.ToString（）。 //工作在本地和服务器上

//的DirectoryEntry DEUser =新的DirectoryEntry（LDAP：// DOMAIN /+ PCollection [成员] [0]的ToString（））; //仅在本地
的DirectoryEntry DEUser =新的DirectoryEntry（LDAP：// DOMAIN /+ SResult.GetDirectoryEntry（）属性[成员] [0]的ToString（））; //工作在本地和服务器上

//Label2.Text = DEUser.Properties [sAMAccountName赋] [0]的ToString（）; //仅在本地

DEUser.Close（）;
DEntry.Close（）;
DEGroup.Close（）;
 

应用程序池标识是网络服务，并web.config文件中包含

 ＆LT;身份验证模式=窗口＆GT;
＆LT;身份冒充=真/＆GT;
 

解决方案

我怀疑它，因为你在一个调试器作为自己的正在运行的工作你的机器上。根据您的ActiveDirectory设置，您无法查询该目录作为匿名用户（这是网络服务presents本身）。

最简单的测试是应用程序池标识一个用户在你的域（你作为测试），你会确认根本原因，如果它的工作原理。

I’m trying to get user details based on group membership from ActiveDirectory. This works on my local machine, but not when I run it on the server.

What I don’t understand is that it will return the number of members of the group correctly (although it has to be in a specific way, see comments in code), but not any details of the members of the group. I end up with a [DirectoryServicesCOMException (0x80072020): An operations error occurred.] whatever I do.

//DirectoryEntry DEntry = new DirectoryEntry("LDAP://DOMAIN"); //works only locally
DirectoryEntry DEntry = new DirectoryEntry("LDAP://DOMAIN", "Account", "Password"); //works locally and on the server

DirectorySearcher DSearcher = new DirectorySearcher();
DSearcher.SearchRoot = DEntry;
DSearcher.Filter = "(&(objectClass=group)(cn=GroupName))";
SearchResult SResult = DSearcher.FindOne();
DirectoryEntry DEGroup = new DirectoryEntry(SResult.Path);
System.DirectoryServices.PropertyCollection PCollection = DEGroup.Properties;

//Label1.Text = PCollection["member"].Count.ToString(); //works only locally
Label1.Text = SResult.GetDirectoryEntry().Properties["member"].Count.ToString(); //works locally and on the server

//DirectoryEntry DEUser = new DirectoryEntry("LDAP://DOMAIN/" + PCollection["member"][0].ToString()); //works only locally
DirectoryEntry DEUser = new DirectoryEntry("LDAP://DOMAIN/" + SResult.GetDirectoryEntry().Properties["member"][0].ToString()); //works locally and on the server

//Label2.Text = DEUser.Properties["sAMAccountName"][0].ToString(); //works only locally

DEUser.Close();
DEntry.Close();
DEGroup.Close();

The App Pool Identity is Network Service, and web.config contains

<authentication mode="Windows">
<identity impersonate="true" />

I suspect its working on your machine because you're running in a Debugger as yourself. Depending on your ActiveDirectory setup, you can't query the directory as an anonymous user (which is what Network Service presents itself as).

Easiest test is to the Application Pool Identity to a user in your domain (yours as a test), and you'll confirm root cause if it works.