问题
I'm using ASP.net with C# and have a very little idea about Active Directory. I've been given a task to write a program in steps below:
The ASP.net application is given the username of a user.
The application should query all the groups of the user with the given username.
Then the application should display these groups in two separate lists one consisting of the distribution groups and in other list, the rest of the groups.
Now, the querying for all the groups is easy. But how can I check whether the group is in distribution group or not?
I have not been given more information.
Any attribute or something I can check?
回答1:
You can retreive this information from an attribute called Groupe-Type(last line).
(0x00000001) : Specifies a group that is created by the system.
(0x00000002) : Specifies a group with global scope.
(0x00000004) : Specifies a group with domain local scope.
(0x00000008) : Specifies a group with universal scope.
(0x00000010) : Specifies an APP_BASIC group for Windows Server Authorization Manager.
(0x00000020) : Specifies an APP_QUERY group fir Windows Server Authorization Manager.
(0x80000000) :Specifies a security group. If this flag is not set, then the group is a distribution group.
You can find in this answer or at the botton of this other one different ways to retreive groups a user belongs to.
You can find here how to retreive user.
回答2:
Since you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:
- Managing Directory Security Principals in the .NET Framework 3.5
- MSDN docs on System.DirectoryServices.AccountManagement
Basically, you can define a domain context and easily find users and/or groups in AD:
// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");
if(user != null)
{
// get all roles for that user
var roles = user.GetGroups();
// set up two lists for each type of groups
List<GroupPrincipal> securityGroups = new List<GroupPrincipal>();
List<GroupPrincipal> distributionGroups = new List<GroupPrincipal>();
// iterate over groups found
foreach (Principal p in roles)
{
// cast to GroupPrincipal
GroupPrincipal gp = (p as GroupPrincipal);
if (gp != null)
{
// check whether it's a security group or a distribution group
if (gp.IsSecurityGroup)
securityGroups.Add(gp);
else
distributionGroups.Add(gp);
}
}
}
The new S.DS.AM makes it really easy to play around with users and groups in AD!
回答3:
This code will retrieve all your email enabled groups, regardless of whether it is a security or distribution group. (Having seen your comment to marc_s's answer, I'm guessing this is actually what your managers are looking for).
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
Principal prototype = new GroupPrincipal(ctx);
PrincipalSearcher searcher = new PrincipalSearcher(prototype);
List<string> groupNames = new List<string>();
PropertyValueCollection email;
foreach (var gp in searcher.FindAll()) using (gp)
{
GroupPrincipal group = gp as GroupPrincipal;
using (DirectoryEntry groupEntry = ((DirectoryEntry)group.GetUnderlyingObject())
{
email = groupEntry.Properties["mail"];
if (email.Value != null)
{
groupNames.Add(group.Name);
}
}
}
}
来源:https://stackoverflow.com/questions/7962483/find-out-if-a-group-in-ad-is-in-distribution-group