我正在尝试确定给定的本地用户帐户是否在本地Administrators组中。一切正常,直到系统加入域。加入域后,将引发一个异常,即未找到网络路径,仅当查找本地非管理员帐户时;如果测试帐户是本地管理员,则该方法返回正常。
这是代码示例:
string accountName = @"localAccountName";
string groupName = @"Administrators";
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Machine))
{
using (UserPrincipal accountPrinciple = new UserPrincipal(principalContext))
{
accountPrinciple.SamAccountName = accountName;
using (PrincipalSearcher accountSearcher = new PrincipalSearcher(accountPrinciple))
{
UserPrincipal account = (UserPrincipal)accountSearcher.FindOne();
if(account != null)
{
using (GroupPrincipal groupPrinciple = new GroupPrincipal(principalContext))
{
groupPrinciple.SamAccountName = groupName;
using (PrincipalSearcher groupSearcher = new PrincipalSearcher(groupPrinciple))
{
GroupPrincipal group = (GroupPrincipal)groupSearcher.FindOne();
if (account.IsMemberOf(group))
{
Console.WriteLine(@"{0} is part of the administrators group", accountName);
}
else
{
Console.WriteLine(@"{0} is not part of the administrators group", accountName);
}
}
}
}
else
{
Console.WriteLine(@"{0} is not found", accountName);
}
}
}
}
结果堆栈为:
Unhandled Exception: System.Runtime.InteropServices.COMException: The network path was not found.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.SAMStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextForeign()
at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
at System.DirectoryServices.AccountManagement.PrincipalCollection.ContainsEnumTest(Principal principal)
at AdminGroupTest.Program.Main(String[] args)
我已经指定了机器上下文,并尝试使用重载来进一步指定本地机器。我可以理解这是否是AD的权限问题,除了简单地更改目标帐户即可更改行为,而与执行帐户无关,并且查询本地管理员帐户(不是默认的admin)也可以。 PrincipleSearcher找到了帐户,但无法测试会员资格...我必须忽略某些东西。
答案 0 :(得分:2)
默认情况下,将计算机加入域时,“域管理员”组将添加到本地“管理员”组。
查询Principal.IsMemberOf(GroupPrincipal)时,将枚举GroupPrincipal.Members。
首先,检查所有顶级组成员。这包括本地用户,这就是为什么在检查本地管理员用户时呼叫成功的原因。
如果未找到匹配项,则代码将枚举作为相关组成员的其他组。在这种情况下,是域管理员。
为了枚举Domain Admins的成员,需要进行活动目录查找,但是执行用户没有特权来执行域查询。
您可以简单地向UserPrincipal请求其组,而不是枚举组来查找成员:
string accountName = @"localAccountName";
string groupName = @"Administrators";
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Machine))
{
using (UserPrincipal accountPrinciple = new UserPrincipal(principalContext))
{
accountPrinciple.SamAccountName = accountName;
using (PrincipalSearcher accountSearcher = new PrincipalSearcher(accountPrinciple))
{
UserPrincipal account = (UserPrincipal)accountSearcher.FindOne();
if (account != null)
{
foreach (var group in account.GetGroups())
{
if (group.SamAccountName == groupName && group.ContextType == ContextType.Machine)
{
Console.WriteLine(@"{0} is part of the administrators group", accountName);
return;
}
}
Console.WriteLine(@"{0} is not part of the administrators group", accountName);
}
else
{
Console.WriteLine(@"{0} is not found", accountName);
}
}
}
}