Question

我知道Active Directory允许至少一个对象具有与当前对象相同的已分配管理器（属性）。换句话说，员工是他们自己的经理（即CEO）。

有人知道管理者与给定对象相同的情况下是否可以有多个对象（即，有共同CEO）？ Microsoft在此主题上保持沉默（请参阅下面的链接）。

我正在将AD对象提取到SQL Server表中，并开发一个递归查询以建立员工到经理的层次结构。查询的第一步是获取CEO DistinguishedName = ManagerDistinguishedName所在的位置。查询的第二步将所有员工放在DistinguishedName <> ManagerDistinguishedName所在的位置。

该查询当前仅在公司只有一位首席执行官的情况下起作用。不幸的是，我没有用于AD的开发环境来测试联合首席执行官以及它如何影响查询。换句话说，我不确定是否存在基于数据和查询约束的无限循环的可能性。

Manager Attribute

更新

;WITH EmployeeList AS (
        SELECT EmployeeObjectKey = ObjectKey, EmployeeFullName = FullName, EmployeeSamAccountName = SamAccountName, ManagerObjectKey
            ,ManagerFullName = FullName, ManagerSamAccountName = SamAccountName, EmployeeLevel = 1
        FROM #TEMP_ManagerToEmployeeHierarchy
        WHERE ObjectKey = ManagerObjectKey -- The CEO of the organization should be the only employee who's manager is themself.
        UNION ALL
        SELECT EmployeeObjectKey = E.ObjectKey, EmployeeFullName = E.FullName, EmployeeSamAccountName = E.SamAccountName, E.ManagerObjectKey
            ,ManagerFullName = M.EmployeeFullName, ManagerSamAccountName = M.EmployeeSamAccountName, EmployeeLevel = M.EmployeeLevel + 1
        FROM #TEMP_ManagerToEmployeeHierarchy E -- Employee
        INNER JOIN EmployeeList M -- Manager
            ON E.ManagerObjectKey = M.EmployeeObjectKey
            AND ObjectKey <> E.ManagerObjectKey -- Do not remove this exclusion, otherwise an infinite loop is created and the query will fail.
        )

SELECT *
FROM EmployeeList
ORDER BY EmployeeLevel, ManagerFullName, EmployeeFullName

位置：

。＃TEMP_ManagerToEmployeeHierarchy是仅包含活动用户帐户的临时表。
ObjectKey是基于插入对象顺序的IDENTITY值。换句话说，它是objectGuid属性的转换。

Answer 1

创建一个虚拟帐户，将其命名为“组织名称”。这可以被禁用。用所有活动用户和虚拟帐户填充您的#TEMP_ManagerToEmployeeHierarchy表。

让组织用户成为CEO / CEO / President或其他人的经理。

将GUID明确设置为组织虚拟帐户。即使CEO离开了，这个GUID现在也永远不会改变。

这应该可以解决您的递归问题，因为您现在至少要跟踪头部。

现在应该可以从顶部开始向下移动。

;WITH EmployeeList AS (
        SELECT EmployeeObjectKey = ObjectKey, EmployeeFullName = FullName, EmployeeSamAccountName = SamAccountName, ManagerObjectKey
            ,ManagerFullName = FullName, ManagerSamAccountName = SamAccountName, EmployeeLevel = 1
        FROM #TEMP_ManagerToEmployeeHierarchy
        WHERE ObjectKey = '{objectGuidOfTheOrganizationDummyAccount}' -- Root Node (Company name)
        UNION ALL
        SELECT EmployeeObjectKey = E.ObjectKey, EmployeeFullName = E.FullName, EmployeeSamAccountName = E.SamAccountName, E.ManagerObjectKey
            ,ManagerFullName = M.EmployeeFullName, ManagerSamAccountName = M.EmployeeSamAccountName, EmployeeLevel = M.EmployeeLevel + 1
        FROM #TEMP_ManagerToEmployeeHierarchy E -- Employee
        INNER JOIN EmployeeList M -- Manager
            ON E.ManagerObjectKey = M.EmployeeObjectKey
            AND ObjectKey <> E.ManagerObjectKey -- This should probably be remove. If there is no manager, then nothing is returned and we should be good.
        )

SELECT *
FROM EmployeeList
ORDER BY EmployeeLevel, ManagerFullName, EmployeeFullName
WHERE EmployeeLevel <> 1

Active Directory管理器属性规则

1 个答案: