问题描述
我有搜索部门中所有用户的代码:
I have code that searches for all users in a department:
string Department = "Billing";
DirectorySearcher LdapSearcher = new DirectorySearcher();
LdapSearcher.PropertiesToLoad.Add("displayName");
LdapSearcher.PropertiesToLoad.Add("cn");
LdapSearcher.PropertiesToLoad.Add("department");
LdapSearcher.PropertiesToLoad.Add("title");
LdapSearcher.PropertiesToLoad.Add("memberOf");
LdapSearcher.Filter = string.Format("(&(objectClass=user)(department={0}))", Department);
SearchResultCollection src = LdapSearcher.FindAll();
如果我只想要经理只读"AD 组中的每个人,过滤器应该是什么样子的?
What would the filter need to look like if I only wanted everyone in the "Manager Read Only" AD Group?
我的意思是不是全错了?
Am I going about this all wrong?
推荐答案
看着你的搜索,我有几点要给你.首先,搜索使用 objectClass(非索引)而不是 objectCategory(索引).该查询存在巨大的性能问题.根据您要检索的内容,您总是希望将两者结合在一起:
Looking at your search I have a couple of points for you. First, the search uses objectClass (non-indexed) instead of objectCategory (indexed). Huge performance issue with that query. You would most always want to combine the two together depending on what you are trying to retrieve:
(&(objectCategory=person)(objectClass=user)) = All users (no contacts)
(&(objectCategory=person)(objectClass=contact)) = All contacts (no users)
(&(objectCategory=person)) = All users and contacts
对于查找组中的用户,您可以枚举特定组的成员对象列表.在组对象的成员属性中是每个用户的专有名称.
As for looking up the users in a group you can enumerate the list of member objects of the specific group. In the member attribute of the group object is the distinguishedName of each user.
本文描述了枚举组的成员...
不要忘记您可能必须处理父组的嵌套组,因为没有默认的方式来处理 LDAP 查询.为此,您可能需要评估成员对象是否为组,然后获取该子组的成员属性.
Don't forget that you may have to handle nested groups of the parent group, as there isn't a default way to handle this with LDAP queries. For that you may need to evaluate if the member object is a group and then get the member attribute for that child group.
最后,您应该养成为查询指定 dns 前缀的习惯.
Lastly, you should get in the habit of specifying a dns prefix to your query.
没有 DNS 前缀:
LDAP://ou=ouname,dc=domain,dc=com
使用 DNS 前缀(所有三个都有效):
With DNS prefix (all three work):
LDAP://servername/ou=ouname,dc=domain,dc=com
LDAP://servername.domain.com/ou=ouname,dc=domain,dc=com
LDAP://domain.com/ou=ouname,dc=domain,dc=com
单个域不会给您带来太多问题,但是当您尝试在多域环境中运行搜索时,如果没有此添加,您将被咬.希望这有助于让您更接近目标.
A single domain won't cause you much issue but when you try and run a search in a multiple domain environment you will get bitten without this addition. Hope this helps move you closer to your goal.
这篇关于从给定 AD 组中的 Active Directory 获取用户列表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!