Principal.IsMemberOf 本地用户帐户加入域时出现异常
Principal.IsMemberOf exception for local user account when joined to Domain
我正在尝试确定给定的本地用户帐户是否在本地管理员组中。在系统加入域之前一切正常。当加入域时抛出异常,提示未找到网络路径,但仅在查找本地非管理员帐户时才会抛出异常;如果测试帐户是本地管理员,方法 returns 没问题。
这是代码示例:
string accountName = @"localAccountName";
string groupName = @"Administrators";
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Machine))
{
using (UserPrincipal accountPrinciple = new UserPrincipal(principalContext))
{
accountPrinciple.SamAccountName = accountName;
using (PrincipalSearcher accountSearcher = new PrincipalSearcher(accountPrinciple))
{
UserPrincipal account = (UserPrincipal)accountSearcher.FindOne();
if(account != null)
{
using (GroupPrincipal groupPrinciple = new GroupPrincipal(principalContext))
{
groupPrinciple.SamAccountName = groupName;
using (PrincipalSearcher groupSearcher = new PrincipalSearcher(groupPrinciple))
{
GroupPrincipal group = (GroupPrincipal)groupSearcher.FindOne();
if (account.IsMemberOf(group))
{
Console.WriteLine(@"{0} is part of the administrators group", accountName);
}
else
{
Console.WriteLine(@"{0} is not part of the administrators group", accountName);
}
}
}
}
else
{
Console.WriteLine(@"{0} is not found", accountName);
}
}
}
}
生成的堆栈是:
Unhandled Exception: System.Runtime.InteropServices.COMException: The network path was not found.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.SAMStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextForeign()
at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
at System.DirectoryServices.AccountManagement.PrincipalCollection.ContainsEnumTest(Principal principal)
at AdminGroupTest.Program.Main(String[] args)
我已经指定了机器上下文并尝试使用重载来进一步指定本地机器。我可以理解这是否是 AD 的权限问题,除了简单地更改目标帐户会改变行为而不管执行帐户如何,并且查询本地管理员帐户(不是默认管理员)有效。 PrincipleSearcher 找到了帐户,但无法测试成员资格......一定是我忽略了什么。
默认情况下,将计算机加入域时,"Domain Admins" 组将添加到本地 "Administrators" 组。
当您查询 Principal.IsMemberOf(GroupPrincipal) 时,GroupPrincipal.Members 被枚举。
首先,检查所有顶级组成员。这包括本地用户,这就是在检查本地管理员用户时调用成功的原因。
如果未找到匹配项,则代码会枚举属于相关组成员的其他组。在这种情况下,域管理员。
为了枚举域管理员的成员,需要进行活动目录查找,但您的执行用户没有执行域查询的权限。
无需枚举组来查找成员,您只需向 UserPrincipal 询问其组即可:
string accountName = @"localAccountName";
string groupName = @"Administrators";
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Machine))
{
using (UserPrincipal accountPrinciple = new UserPrincipal(principalContext))
{
accountPrinciple.SamAccountName = accountName;
using (PrincipalSearcher accountSearcher = new PrincipalSearcher(accountPrinciple))
{
UserPrincipal account = (UserPrincipal)accountSearcher.FindOne();
if (account != null)
{
foreach (var group in account.GetGroups())
{
if (group.SamAccountName == groupName && group.ContextType == ContextType.Machine)
{
Console.WriteLine(@"{0} is part of the administrators group", accountName);
return;
}
}
Console.WriteLine(@"{0} is not part of the administrators group", accountName);
}
else
{
Console.WriteLine(@"{0} is not found", accountName);
}
}
}
}
我正在尝试确定给定的本地用户帐户是否在本地管理员组中。在系统加入域之前一切正常。当加入域时抛出异常,提示未找到网络路径,但仅在查找本地非管理员帐户时才会抛出异常;如果测试帐户是本地管理员,方法 returns 没问题。
这是代码示例:
string accountName = @"localAccountName";
string groupName = @"Administrators";
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Machine))
{
using (UserPrincipal accountPrinciple = new UserPrincipal(principalContext))
{
accountPrinciple.SamAccountName = accountName;
using (PrincipalSearcher accountSearcher = new PrincipalSearcher(accountPrinciple))
{
UserPrincipal account = (UserPrincipal)accountSearcher.FindOne();
if(account != null)
{
using (GroupPrincipal groupPrinciple = new GroupPrincipal(principalContext))
{
groupPrinciple.SamAccountName = groupName;
using (PrincipalSearcher groupSearcher = new PrincipalSearcher(groupPrinciple))
{
GroupPrincipal group = (GroupPrincipal)groupSearcher.FindOne();
if (account.IsMemberOf(group))
{
Console.WriteLine(@"{0} is part of the administrators group", accountName);
}
else
{
Console.WriteLine(@"{0} is not part of the administrators group", accountName);
}
}
}
}
else
{
Console.WriteLine(@"{0} is not found", accountName);
}
}
}
}
生成的堆栈是:
Unhandled Exception: System.Runtime.InteropServices.COMException: The network path was not found.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.SAMStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextForeign()
at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
at System.DirectoryServices.AccountManagement.PrincipalCollection.ContainsEnumTest(Principal principal)
at AdminGroupTest.Program.Main(String[] args)
我已经指定了机器上下文并尝试使用重载来进一步指定本地机器。我可以理解这是否是 AD 的权限问题,除了简单地更改目标帐户会改变行为而不管执行帐户如何,并且查询本地管理员帐户(不是默认管理员)有效。 PrincipleSearcher 找到了帐户,但无法测试成员资格......一定是我忽略了什么。
默认情况下,将计算机加入域时,"Domain Admins" 组将添加到本地 "Administrators" 组。
当您查询 Principal.IsMemberOf(GroupPrincipal) 时,GroupPrincipal.Members 被枚举。
首先,检查所有顶级组成员。这包括本地用户,这就是在检查本地管理员用户时调用成功的原因。
如果未找到匹配项,则代码会枚举属于相关组成员的其他组。在这种情况下,域管理员。
为了枚举域管理员的成员,需要进行活动目录查找,但您的执行用户没有执行域查询的权限。
无需枚举组来查找成员,您只需向 UserPrincipal 询问其组即可:
string accountName = @"localAccountName";
string groupName = @"Administrators";
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Machine))
{
using (UserPrincipal accountPrinciple = new UserPrincipal(principalContext))
{
accountPrinciple.SamAccountName = accountName;
using (PrincipalSearcher accountSearcher = new PrincipalSearcher(accountPrinciple))
{
UserPrincipal account = (UserPrincipal)accountSearcher.FindOne();
if (account != null)
{
foreach (var group in account.GetGroups())
{
if (group.SamAccountName == groupName && group.ContextType == ContextType.Machine)
{
Console.WriteLine(@"{0} is part of the administrators group", accountName);
return;
}
}
Console.WriteLine(@"{0} is not part of the administrators group", accountName);
}
else
{
Console.WriteLine(@"{0} is not found", accountName);
}
}
}
}