Active Directory。與DACL工作

Question

我想讓自己的靜態類與AD一起工作。 我寫了一個靜態方法：

public static void AddReadingAceForGroup(DirectoryEntry dirEntry, string groupName) 
    { 
     dirEntry.RefreshCache(); 
     DirectoryEntry root = new DirectoryEntry("LDAP://192.168.1.1/  dc=mydomain,dc=ru"); 
     using (DirectorySearcher ds = new DirectorySearcher(root, "CN="+groupName)) 
     { 
      SearchResult sr = ds.FindOne(); 
      root = sr.GetDirectoryEntry(); 
     } 
     try 
     { 
      ActiveDirectoryAccessRule accessRule = 
       new ActiveDirectoryAccessRule(root.ObjectSecurity.GetGroup(typeof(SecurityIdentifier)), 
               ActiveDirectoryRights.GenericRead, AccessControlType.Allow); 
      dirEntry.ObjectSecurity.AddAccessRule(accessRule); 
      dirEntry.CommitChanges(); 
     } 
     catch(Exception e) 
     { 
     } 
    } 

使用此功能我做模擬與遠程憑據用戶之前，然後代碼工作無異常，但沒有結果。去除ACE的類似功能工作正常。

Answer 1

最後的工作代碼爲：

public static SecurityIdentifier GetGroupSid(string groupName, string domainControllerIp) 
{ 
    SecurityIdentifier sid = null; 
    using (PrincipalContext dcx = new PrincipalContext(ContextType.Domain, domainControllerIp)) 
    { 
     GroupPrincipal group = GroupPrincipal.FindByIdentity(dcx, groupName); 
     if (group != null) 
     { 
      sid = group.Sid; 
      group.Dispose(); 
     } 
    } 
    return sid; 
} 
public static void AddDaclsAceForGroup(DirectoryEntry dirEntry, string groupName, string ip) 
{ 
    SecurityIdentifier sid = GetGroupSid(groupName,ip); 
    try 
    { 
     ActiveDirectoryAccessRule accessRule = 
      new ActiveDirectoryAccessRule(sid,ActiveDirectoryRights.GenericRead, AccessControlType.Allow); 
     dirEntry.ObjectSecurity.AddAccessRule(accessRule); 
     dirEntry.CommitChanges(); 
    } 
    catch(Exception e) 
    { 
    } 
} 

我只是有錯誤與SID組。代碼完美無瑕，但不是我期待的。 對不起，我的英語不好。