如何确定 AD 组是否包含来自另一个（受信任）域的给定 DirectoryEntry？

Question

我正在尝试增强我的代码，以确定用户是否是给定 AD 组的成员。它本质上是有效的，除非该组的成员碰巧来自另一个（受信任的）域，因为它被存储为 foreignsecurityprincipal。

鉴于我对要测试的组和要检查的帐户都有一个有效的 DirectoryEntry 对象，我需要一个 DirectorySearcher 过滤器字符串，它可以让我确认该帐户在该组中，甚至如果该帐户是外国证券负责人。

（演示问题的VB.NET代码示例）

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher(ContainerGroup, "(WHATCANIPUTINHERE)", New String() {"member;Range=0-5000"}, SearchScope.Base)
DSearcher.AttributeScopeQuery = "member"

'If an object is found, the account was in the group
Return (DSearcher.FindOne() IsNot Nothing)  

Answer 1

好的。找到了。这是诀窍。

我正在尝试增强我的代码，以确定用户是否是给定 AD 组的成员。它本质上是有效的，除非组的成员碰巧来自另一个（受信任的）域，因为它被存储为 foreignsecurityprincipal。

（VB.NET代码示例）

Dim ContainerGroup as DirectoryEntry = ... Code to get Group
Dim UserToCheckFor as DirectoryEntry = ... Code to get User

DSearcher = New DirectorySearcher
Dim DSearcher As New DirectorySearcher(ContainerGroup, getLDAPQueryStringUsingSID(containedGroup), New String() {"member;Range=0-5000"}, SearchScope.Base)

Return (DSearcher.FindOne() IsNot Nothing) 


** Helper Methods **

Private Function getLDAPQueryStringUsingSID(ByVal DEObject As DirectoryEntry) As String            
  Return "(objectSid=" + getSDDLSidForDirectoryEntry(DEObject) + ")"
End Function

Private Function getSDDLSidForDirectoryEntry(ByVal DEObject As DirectoryEntry) As String
      Dim bytes As Byte() = CType(DEObject.Properties("objectSid").Value, Byte())
      Dim sid As New System.Security.Principal.SecurityIdentifier(bytes, 0)
      Return sid.ToString
End Function