Active Directory - 获取多个广告组中的所有用户
Active Directory - get all users in multiple Ad Groups
有没有办法让所有活跃用户都在多个组中?
例如:
Get all active users in "AdGroupA" OR "AdGroupB" OR "AdGroupC"
我看到 post 关于单个组而不是多个组。
谢谢。
如果我没理解错的话,您只是想return多个组中的整个用户列表?这应该就像多次从单个组中获取用户一样简单。
public IEnumberable<UserPrincipal> GetUsersFromGroups(string[] groupNames)
{
using (var ctx = new PrincipalContext(ContextType.Domain))
{
foreach (var groupName in groupNames)
{
foreach (var userPrincipal in GroupPrincipal.FindByIdentity(ctx, groupName)
.GetMembers())
{
yield return userPrincipal;
}
}
}
}
这是一个不使用 AccountManagement 的方法:
using System.DirectoryServices;
public static IEnumerable<DirectoryEntry> GetUsersFromGroups(string[] groupNames)
{
if (groupNames.Length > 0)
{
var searcher = new DirectorySearcher();
string searchFilter = "(&(objectClass=Group)"; //filter for groups
searchFilter += "(|"; //start a group of or parameters
foreach (var group in groupNames) //loop through the group names
{
searchFilter += string.Format("(SAMAccountName={0})",group); //add a parameter for each group in the list
}
searchFilter += "))"; //close off the filter string
searcher.Filter = searchFilter; //add the filter to the searcher
searcher.PropertiesToLoad.Add("member"); // load the members property for the group
var searchResults = searcher.FindAll(); // perform the search
foreach (SearchResult result in searchResults)
{
var directoryEntry = (DirectoryEntry)result.GetDirectoryEntry(); // get the directory entry for the group
PropertyValueCollection members = directoryEntry.Properties["member"]; // get the members collection
foreach (string name in members) //iterate through the members. this string will be the distinguished name
{
yield return new DirectoryEntry(string.Format("LDAP://{0}",name)); //return the directory entry. you may get the entry and return the display name or just return distinguished name.
}
}
}
}
在我的环境中,我发现这比对 1 个组使用 DirectoryServices.AccountManagement 平均快 25%,但随着组和用户数量的增加,AccountManagement 方法实际上变得更快。这只查询 AD 一次,而第一种方法每组查询一次。
有没有办法让所有活跃用户都在多个组中?
例如:
Get all active users in "AdGroupA" OR "AdGroupB" OR "AdGroupC"
我看到 post 关于单个组而不是多个组。
谢谢。
如果我没理解错的话,您只是想return多个组中的整个用户列表?这应该就像多次从单个组中获取用户一样简单。
public IEnumberable<UserPrincipal> GetUsersFromGroups(string[] groupNames)
{
using (var ctx = new PrincipalContext(ContextType.Domain))
{
foreach (var groupName in groupNames)
{
foreach (var userPrincipal in GroupPrincipal.FindByIdentity(ctx, groupName)
.GetMembers())
{
yield return userPrincipal;
}
}
}
}
这是一个不使用 AccountManagement 的方法:
using System.DirectoryServices;
public static IEnumerable<DirectoryEntry> GetUsersFromGroups(string[] groupNames)
{
if (groupNames.Length > 0)
{
var searcher = new DirectorySearcher();
string searchFilter = "(&(objectClass=Group)"; //filter for groups
searchFilter += "(|"; //start a group of or parameters
foreach (var group in groupNames) //loop through the group names
{
searchFilter += string.Format("(SAMAccountName={0})",group); //add a parameter for each group in the list
}
searchFilter += "))"; //close off the filter string
searcher.Filter = searchFilter; //add the filter to the searcher
searcher.PropertiesToLoad.Add("member"); // load the members property for the group
var searchResults = searcher.FindAll(); // perform the search
foreach (SearchResult result in searchResults)
{
var directoryEntry = (DirectoryEntry)result.GetDirectoryEntry(); // get the directory entry for the group
PropertyValueCollection members = directoryEntry.Properties["member"]; // get the members collection
foreach (string name in members) //iterate through the members. this string will be the distinguished name
{
yield return new DirectoryEntry(string.Format("LDAP://{0}",name)); //return the directory entry. you may get the entry and return the display name or just return distinguished name.
}
}
}
}
在我的环境中,我发现这比对 1 个组使用 DirectoryServices.AccountManagement 平均快 25%,但随着组和用户数量的增加,AccountManagement 方法实际上变得更快。这只查询 AD 一次,而第一种方法每组查询一次。