我正在创建一个导出文件,其中包含特定TFS集合的所有TFS项目,用户及其关联的TFS组。 (使用ITeamProjectCollectionService,IIdentityManagementService)
我注意到我也收到了残疾的AD用户。如何从此列表中筛选出已禁用的AD用户?我无法直接访问AD环境。 Microsoft.TeamFoundation.Server.Identity不包含此属性。
Uri configurationServerUri = new Uri(environmentConfig.Uri);
TfsConfigurationServer configurationServer = TfsConfigurationServerFactory.GetConfigurationServer(configurationServerUri);
var tpcService = configurationServer.GetService<ITeamProjectCollectionService>();
foreach (TeamProjectCollection tpc in tpcService.GetCollections())
{
var tfsProjectCollection = new TfsTeamProjectCollection(new Uri(environmentConfig.Uri + "/" + tpc.Name), environmentCredential);
var vcs = tfsProjectCollection.GetService<VersionControlServer>();
var sec = tfsProjectCollection.GetService<IGroupSecurityService>();
var teamProjects = vcs.GetAllTeamProjects(false);
foreach (var teamProject in teamProjects)
{
var appGroups = sec.ListApplicationGroups(teamProject.ArtifactUri.AbsoluteUri);
foreach (var group in appGroups)
{
Identity[] groupMembers = sec.ReadIdentities(SearchFactor.Sid, new string[] { group.Sid }, QueryMembership.Expanded);
foreach (Identity member in groupMembers)
{
if (member.Members != null)
{
foreach (string memberSid in member.Members)
{
Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, memberSid, QueryMembership.Expanded);
if (memberInfo.Type != IdentityType.WindowsUser)
continue;
result.Add(new TfsPermission { Collection = tfsProjectCollection.Name, TeamProject = teamProject.Name,
User = memberInfo.AccountName, Domain = memberInfo.Domain, Group = group.DisplayName });
}
}
}
}
}
}
祝你好运, 延
答案 0 :(得分:0)
您可以使用memberInfo.Domain == "DomainName"
来判断此帐户是否为AD帐户。通常,如果标识是在TFS中添加的Windows帐户,则memberInfo.Domain
属性等于服务器名称而不是域名。
foreach (string memberSid in member.Members)
{
Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, memberSid, QueryMembership.Expanded);
if (memberInfo.Type == IdentityType.WindowsUser && memberInfo.Domain == "DomainName")
{
result.Add(new TfsPermission
{
Collection = tfsProjectCollection.Name,
TeamProject = teamProject.Name,
User = memberInfo.AccountName,
Domain = memberInfo.Domain,
Group = group.DisplayName
});
}
}
然后检查这些帐户是否在AD中被禁用,就像Starain说的那样,使用TFS API无法做到这一点。但是如果在AD中禁用了以下帐户,您可以使用下面的方法检查您获得的每个帐户:find if user account is enabled or disabled in AD
const string accountName = "name"; // The accountName of AD user
var principalContext = new PrincipalContext(ContextType.Domain, "domainNameHere", "AdminUser", "AdminPass");
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, accountName);
if (userPrincipal != null)
{
var dirEntry = userPrincipal.GetUnderlyingObject() as DirectoryEntry;
var status = IsAccountDisabled(dirEntry);
}
//Jugde if it is disabled in AD
public static bool IsAccountDisabled(DirectoryEntry user)
{
const string uac = "userAccountControl";
if (user.NativeGuid == null) return false;
if (user.Properties[uac] != null && user.Properties[uac].Value != null)
{
var userFlags = (UserFlags)user.Properties[uac].Value;
return userFlags.Contains(UserFlags.AccountDisabled);
}
return false;
}
但是,memberInfo.Type
只能区分Identity是用户帐户还是TFS组。众所周知,当您设置某人的权限时,您将选择添加帐户或TFS组。