与TFS 2015的互动(内部部署)

时间:2017-03-09 15:43:33

标签: c# tfs tfs2015

我正在创建一个导出文件,其中包含特定TFS集合的所有TFS项目,用户及其关联的TFS组。 (使用ITeamProjectCollectionService,IIdentityManagementService)

我注意到我也收到了残疾的AD用户。如何从此列表中筛选出已禁用的AD用户?我无法直接访问AD环境。 Microsoft.TeamFoundation.Server.Identity不包含此属性。

        Uri configurationServerUri = new Uri(environmentConfig.Uri);
        TfsConfigurationServer configurationServer = TfsConfigurationServerFactory.GetConfigurationServer(configurationServerUri);
        var tpcService = configurationServer.GetService<ITeamProjectCollectionService>();
        foreach (TeamProjectCollection tpc in tpcService.GetCollections())
        {
            var tfsProjectCollection = new TfsTeamProjectCollection(new Uri(environmentConfig.Uri + "/" + tpc.Name), environmentCredential);

            var vcs = tfsProjectCollection.GetService<VersionControlServer>();
            var sec = tfsProjectCollection.GetService<IGroupSecurityService>();

            var teamProjects = vcs.GetAllTeamProjects(false);
            foreach (var teamProject in teamProjects)
            {
                var appGroups = sec.ListApplicationGroups(teamProject.ArtifactUri.AbsoluteUri);

                foreach (var group in appGroups)
                {
                    Identity[] groupMembers = sec.ReadIdentities(SearchFactor.Sid, new string[] { group.Sid }, QueryMembership.Expanded);
                    foreach (Identity member in groupMembers)
                    {
                        if (member.Members != null)
                        {
                            foreach (string memberSid in member.Members)
                            {
                                Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, memberSid, QueryMembership.Expanded);
                                if (memberInfo.Type != IdentityType.WindowsUser)
                                    continue;

                                result.Add(new TfsPermission { Collection = tfsProjectCollection.Name, TeamProject = teamProject.Name,
                                    User = memberInfo.AccountName, Domain = memberInfo.Domain, Group = group.DisplayName });
                            }
                        }
                    }
                }
            }
        }

祝你好运, 延

1 个答案:

答案 0 :(得分:0)

您可以使用memberInfo.Domain == "DomainName"来判断此帐户是否为AD帐户。通常,如果标识是在TFS中添加的Windows帐户,则memberInfo.Domain属性等于服务器名称而不是域名。

foreach (string memberSid in member.Members)
{
      Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, memberSid, QueryMembership.Expanded);
      if (memberInfo.Type == IdentityType.WindowsUser && memberInfo.Domain == "DomainName")
      {
                                result.Add(new TfsPermission
                                {
                                    Collection = tfsProjectCollection.Name,
                                    TeamProject = teamProject.Name,
                                    User = memberInfo.AccountName,
                                    Domain = memberInfo.Domain,
                                    Group = group.DisplayName
                                });
       }
}

然后检查这些帐户是否在AD中被禁用,就像Starain说的那样,使用TFS API无法做到这一点。但是如果在AD中禁用了以下帐户,您可以使用下面的方法检查您获得的每个帐户:find if user account is enabled or disabled in AD

const string accountName = "name"; // The accountName of AD user
var principalContext = new PrincipalContext(ContextType.Domain, "domainNameHere", "AdminUser", "AdminPass");
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, accountName);

if (userPrincipal != null)
{
    var dirEntry = userPrincipal.GetUnderlyingObject() as DirectoryEntry;
    var status = IsAccountDisabled(dirEntry);

}

//Jugde if it is disabled in AD
public static bool IsAccountDisabled(DirectoryEntry user)
{
        const string uac = "userAccountControl";
        if (user.NativeGuid == null) return false;

        if (user.Properties[uac] != null && user.Properties[uac].Value != null)
        {
            var userFlags = (UserFlags)user.Properties[uac].Value;
            return userFlags.Contains(UserFlags.AccountDisabled);
        }

        return false;
}

但是,memberInfo.Type只能区分Identity是用户帐户还是TFS组。众所周知,当您设置某人的权限时,您将选择添加帐户或TFS组。 enter image description here