GroupPrincipal.GetMembers fails when group (or child group if recursive) contains ForeignSecurityPrincipal(当组(或子组,如果递归)包含 ForeignSecurityPrincipal 时 GroupPrincipal.GetMembers 失败)
问题描述
对于遇到相同问题的任何人来说,这与其说是一个问题,不如说是一个信息.
出现以下错误:
System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (87) occurred while enumerating the groups. The group's SID could not be resolved.
at System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids)
at System.DirectoryServices.AccountManagement.SidList.ctor(List`1 sidListByteFormat, String target, NetCred credentials)
at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.TranslateForeignMembers()
当运行以下代码并且组或子组包含 ForeignSecurityPrincipal 时:
When the following code is run and a group or child group contains a ForeignSecurityPrincipal:
private static void GetUsersFromGroup()
{
var groupDistinguishedName = "CN=IIS_IUSRS,CN=Builtin,DC=Domain,DC=com";
//NB: Exception thrown during iteration of members rather than call to GetMembers.
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "Domain", "Username", "Password"))
{
using (GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(ctx, IdentityType.DistinguishedName, groupDistinguishedName))
{
using (var searchResults = groupPrincipal.GetMembers(true))//Occurs when false also.
{
foreach (UserPrincipal item in searchResults.OfType())
{
Console.WriteLine("Found user: {0}", item.SamAccountName)
}
}
}
}
}
我向 Microsoft 拨打了支持电话,他们已确认这是一个问题.内部提出了一个错误,但尚未确认是否会修复.
Microsoft 建议使用以下解决方法代码,但由于重复调用 UserPrincipal.FindByIdentity,它在具有大量用户的组中表现不佳.
Microsoft suggested the following workaround code but it performs poorly on groups with a large number of users because of the repeated calls to UserPrincipal.FindByIdentity.
class Program
{
//"CN=IIS_IUSRS,CN=Builtin,DC=dev-sp-sandbox,DC=local"; //TODO MODIFY THIS LINE ACCORDING TO YOUR DC CONFIGURATION
static void Main(string[] args)
{
if (args.Length != 1)
{
Console.WriteLine("Usage: ListGroupMembers "group's DistinguishedName"");
Console.WriteLine("Example: ListGroupMembers "CN=IIS_IUSRS,CN=Builtin,DC=MyDomain,DC=local"");
return;
}
string groupDistinguishedName = args[0];
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "dev-sp-dc", "Administrator", "Corp123!");
List<UserPrincipal> users = new List<UserPrincipal>();
listGroupMembers(groupDistinguishedName, ctx, users);
foreach (UserPrincipal u in users)
{
Console.WriteLine(u.DistinguishedName);
}
}
//Recursively list the group's members which are not Foreign Security Principals
private static void listGroupMembers(string groupDistinguishedName, PrincipalContext ctx, List<UserPrincipal> users)
{
DirectoryEntry group = new DirectoryEntry("LDAP://" + groupDistinguishedName);
foreach (string dn in group.Properties["member"])
{
DirectoryEntry gpMemberEntry = new DirectoryEntry("LDAP://" + dn);
System.DirectoryServices.PropertyCollection userProps = gpMemberEntry.Properties;
object[] objCls = (userProps["objectClass"].Value) as object[];
if (objCls.Contains("group"))
listGroupMembers(userProps["distinguishedName"].Value as string, ctx, users);
if (!objCls.Contains("foreignSecurityPrincipal"))
{
UserPrincipal u = UserPrincipal.FindByIdentity(ctx, IdentityType.DistinguishedName, dn);
if(u!=null) // u==null for any other types except users
users.Add(u);
}
}
}
}
可以修改上面的代码以查找导致组问题的外国安全主体.
The above code could be modified to find foreign security principals causing problems in groups.
Microsoft 提供了有关外国安全主体的以下信息:
这是 AD 中的一类对象,它代表来自外部源(因此是另一个林/域或下面的特殊"帐户之一)的安全主体.该类记录在此处:http://msdn.microsoft.com/en-us/library/cc221858(v=PROT.10).aspx容器记录在此处:http://msdn.microsoft.com/en-us/library/cc200915(v=PROT.10).aspxFSP 不是 AD 中的真实对象,而是指向位于不同的受信任域/林中的对象的占位符(指针).它也可以是特殊身份"之一,即一堆知名帐户,这些帐户也被归类为 FSP,因为它们的 SID 与域 SID 不同.例如这里记录的匿名、经过身份验证的用户、批处理和其他几个帐户:http://technet.microsoft.com/en-us/library/cc779144(v=WS.10).aspx
This is a class of objects in AD which represents a security principal from an external source (so another forest/domain or one of the "special" accounts below). The class is documented here: http://msdn.microsoft.com/en-us/library/cc221858(v=PROT.10).aspx And the container is documented here : http://msdn.microsoft.com/en-us/library/cc200915(v=PROT.10).aspx A FSP is not a real object in AD, but rather a placeholder (pointer) to an object which lives in a different, trusted domain/forest. It can also be one of the "special identities" which are a bunch of well-known accounts who are also classed as FSP’s because their SID’s are different to the domain SID. For example the anonymous, Authenticated User, batch and several other accounts as documented here: http://technet.microsoft.com/en-us/library/cc779144(v=WS.10).aspx
推荐答案
当然这是一个旧线程,但可能对某人有所帮助.我使用下面的代码块来解决问题.Principal 类公开了一个名为 StructuralObjectClass 的属性,它告诉您该主体的 AD 类是什么.我用它来决定对象是否是用户.GetMembers(true) 递归搜索相关 groupPrincipal 中的所有嵌套成员.
Sure this is an old thread, but might help someone. I used the below code block the solve the problem. the Principal class exposes a property called StructuralObjectClass which tells you what is the AD Class of that principal. I used this to decide whether the object is a user. The GetMembers(true) recursively searches all nested-members in the groupPrincipal in question.
希望这对某人有所帮助.
Hope this helps someone.
List<UserPrincipal> members = new List<UserPrincipal>();
foreach (var principal in groupPrincipal.GetMembers(true))
{
var type = principal.StructuralObjectClass;
if (type.Contains("user"))
members.Add((UserPrincipal)principal);
}
谢谢,R
这篇关于当组(或子组,如果递归)包含 ForeignSecurityPrincipal 时 GroupPrincipal.GetMembers 失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:当组(或子组,如果递归)包含 ForeignSecurityPrincip
基础教程推荐
- 覆盖 Json.Net 中的默认原始类型处理 2022-01-01
- 当键值未知时反序列化 JSON 2022-01-01
- 从 VB6 迁移到 .NET/.NET Core 的最佳策略或工具 2022-01-01
- 我什么时候应该使用 GC.SuppressFinalize()? 2022-01-01
- 创建属性设置器委托 2022-01-01
- 如何使用OpenXML SDK将Excel转换为CSV? 2022-01-01
- C# - 将浮点数转换为整数...并根据余数更改整数 2022-01-01
- 使用 SED 在 XML 标签之间提取值 2022-01-01
- C# - 如何列出发布到 ASPX 页面的变量名称和值 2022-01-01
- Page.OnAppearing 中的 Xamarin.Forms Page.DisplayAlert 2022-01-01