缓慢的 AD 组成员查找

Slow AD group membership lookup

我有一些代码可以检查域用户是否是计算机管理员组的成员:

public static bool ActiveDirectoryGroupMembershipOk(string userid, string groupName)
{
    using (PrincipalContext ctx = new PrincipalContext(ContextType.Machine, "my_pc_name"))
    {
        using (GroupPrincipal grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "administrators"))
        {
            if (grp != null)
            {
                foreach (Principal p in grp.GetMembers(false))
                {
                    if (p is UserPrincipal && p.SamAccountName.Equals(userid, StringComparison.InvariantCultureIgnoreCase))
                    {
                        return true;
                    }
                }
            }
        }
    }
    return false;
}

有效,但下面的代码行需要几秒钟才能完成:

using (GroupPrincipal grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "administrators"))

有没有更快的方法来查找成员资格?

不知道重要不重要,userid是域用户,windows组在本地PC上。

我发现不在组中查找用户似乎更快,而是检查用户的角色成员资格。

下面是比我问题中的代码执行得更快的代码:

public static bool ActiveDirectoryGroupMembershipOk(string userid, string groupName)
{
    bool membershipOk = false;
    using (var pc = new PrincipalContext(ContextType.Machine, "my_pc_name"))
    {
        using (var p = Principal.FindByIdentity(pc, IdentityType.SamAccountName, userid))
        {
            // if user account exists, check the group membership
            if(p != null)
            {
                System.Security.Principal.WindowsIdentity wi = new System.Security.Principal.WindowsIdentity(userid);
                System.Security.Principal.WindowsPrincipal wp = new System.Security.Principal.WindowsPrincipal(wi);
                membershipOk = wp.IsInRole(groupName);
            }
        }
    }
    return membershipOk;
}

我仍然找到了更好的方法(假设是 AD 域),使用 Blonde 先生的部分回答:

public static bool ActiveDirectoryGroupMembershipOk(String userid, String groupname)
{
    PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
    UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, userid);
    GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, groupname);

    return user.IsMemberOf(group);
}